网址嵌入的凭据 [英] URL-embedded credentials

问题描述

Wikipedia says HTTP基本认证依赖于授权

Wikipedia says that HTTP Basic authentication relies on the Authorization header to provide credentials from the client to the server.

但是也可以将凭证嵌入到URL中：

But it is also possible to embed the credentials in the URL:

http(s)://<user>:<password>@<host>/<path>

它是由浏览器解释并转换为 Authorization 标题或直接发送到服务器？

Is it something that is interpreted by the browser and converted into a Authorization header or is it directly sent to the server?

推荐答案

也可以在URL中嵌入凭证

But it is also possible to embed the credentials in the URL

仅当浏览器支持HTTP时出错时，通常故意这样做向后兼容浏览器，人们错误地认为这是一个好主意。

Only if the browser is buggy in its support of HTTP, often deliberately so to be backwards compatible with browsers where people mistakenly thought this was a good idea.

HTTP方案从来没有被允许，尽管URI语法通常允许用户信息。

It's never been allowed by the HTTP scheme, though the URI syntax more generally does allow user information there.

它是由浏览器解释并转换为授权标头的东西。

Is it something that is interpreted by the browser and converted into a Authorization header.

是的。如果服务器发送401，则浏览器将使用该用户名和密码进行回复。至少有一个曾经先发制人地尝试Basic的人，在现有的坏主意之上显然是一个坏主意。

Yes. If the server at sent a 401 the browser would reply using that username and password. There has been at least one that used to pre-emptively attempt Basic which was obviously a bad idea on top of the existing bad idea.

这篇关于网址嵌入的凭据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！