[spec] Regarding the proposal to remove status code 11
luke at marmaladefoo.com
Tue Mar 16 01:18:03 GMT 2021
On 15-Mar-2021 23:59, Sean Conner wrote:
> It was thus said that the Great Sandra Snan once stated:
>> The purpose for this status code is in case someone is looking over your
>> shoulder in the same physical location. That's why it's fine to be an
>> LSD (least significant digit / optional) code, it's a snazzy feature
>> that's nice to have but not mandatory. I think it's a good feature.
>> It doesn't send it unencrypted (i.e. same as any other request) so it's
>> not security theatre. It's there so people in the same location don't
>> see your password.
> Do current Gemini browsers include the query string when displaying the
> location? If they do in the case of a 10 status, perhaps they should not
> for an 11?
GemiNaut displays the full URI of the current resource being shown - as
you might see when using a normal web browser.
My view is that the client should be transparent to the user about the
location of the resource they are looking at. It is important they are
informed of the actual location and the client should not obfuscate the
location. If we start hiding content, the user may not be able to
readily actually see the location, which may be a security concern in
its own right.
We should not be trying to invent a new semantics for URLs - the
population at large understand what they are, how they are used etc.
Ironically the gemini URI scheme does not permit users to put user info
(user name or password) into the URI. However the status 11 allows it
back in - this is the primary role of this code as far as I understand
how people want to use it:
"In particular, the authority component is allowed and required,
but its userinfo subcomponent is NOT allowed."
So no I won't be attempting to obfuscate URIs in GemiNaut and it will
warn users if the server invites them to put sensitive info into the URI.
More information about the Gemini