On 25 Feb 2021, at 17:14, Rick Cooper wrote:
As far as I can tell the authority/path-abempty portion of a uri is
optional
and must begin with // but can be empty
No, https://tools.ietf.org/html/rfc7230#section-2.7.1 shows the
definition in ABNF, a strictly-defined syntax for strictly defining
other syntaxes. The "//" part denotes a mandatory literal string, in
the same way that the "http:" part is a mandatory literal string. The
'authority' and 'path-abempty' parts are distinct mandatory named
components which are defined in RFC3986, the text of which states that
an authority is *preceded by* '//' (as it is in the spec of the http:
URI) while the ABNF definition of authority (which is usually just a
'host' component) does not include '//' at all, i.e. an authority
component itself does not include the preceding '//'.
Yeah, I know: pedantry. RFCs are intrinsically pedantic.
Incidentally, earlier this week there was a blog post by a security firm
decrying such obfuscation of URIs in phishing email as if it were a
cutting edge new tactic for bypassing filters. It is neither new nor
does it fool any decent filters.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
