URL 嵌入的凭据 [英] URL-embedded credentials

问题描述

维基百科说 HTTP 基本身份验证依赖于 Authorization 标头提供从客户端到服务器的凭据.

Wikipedia says that HTTP Basic authentication relies on the Authorization header to provide credentials from the client to the server.

但也可以在 URL 中嵌入凭据:

But it is also possible to embed the credentials in the URL:

http(s)://<user>:<password>@<host>/<path>

它是由浏览器解释并转换为Authorization 标头还是直接发送到服务器?

Is it something that is interpreted by the browser and converted into a Authorization header or is it directly sent to the server?

推荐答案

但也可以在 URL 中嵌入凭据

But it is also possible to embed the credentials in the URL

仅当浏览器在支持 HTTP 方面有问题时，通常是故意向后兼容人们错误地认为这是一个好主意的浏览器.

Only if the browser is buggy in its support of HTTP, often deliberately so to be backwards compatible with browsers where people mistakenly thought this was a good idea.

HTTP 方案从未允许这样做，尽管更普遍的 URI 语法确实允许用户信息存在.

It's never been allowed by the HTTP scheme, though the URI syntax more generally does allow user information there.

它是否被浏览器解释并转换为 Authorization 标头.

Is it something that is interpreted by the browser and converted into a Authorization header.

是的.如果服务器发送了 401，浏览器将使用该用户名和密码进行回复.至少有一个曾经先发制人地尝试Basic，这显然是在现有的坏主意之上的一个坏主意.

Yes. If the server at sent a 401 the browser would reply using that username and password. There has been at least one that used to pre-emptively attempt Basic which was obviously a bad idea on top of the existing bad idea.

这篇关于URL 嵌入的凭据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！