Replace 'absolute URI' with 'URI' #48
Conversation
|
Is there a reason not to forbid "relative URIs", which is absolutely clear, rather than mandating "URIs", which I do not find to imply "non-relative URIs" and which could also be the mandate, i.e., "non-relative URIs", if there is some proof that relative URIs are actually harmful? In my world, a great many documents are authored using relative URIs, because they are trivially movable from internal deployment (for testing, etc., by company entities) to external deployment (for consumption by the general public). This prohibition seems likely to be problematic for this workflow. |
|
The rationale for non-relative URIs in these particular cases is that these identifiers are used for crossing security domains. E.g. an access token with a globally unique issuer or the location of an authorization server. In these cases, global uniqueness is important. This change does not affect URIs in documents. |
|
OK, so given that I accept this prohibition in "non-documents" (though I think many documents are included under that label, e.g., |
Resolves #46
The Authentication and Authorization sections of the specification make use of the phrase "absolute URI", but RFC 3986, section 4.3 defines an absolute URI as a URI without a fragment identifier. It was not the intention of the author to exclude URIs that contain fragment identifiers; instead, the goal was to exclude relative URI references, since these values will generally cross domain and/or security boundaries and so any ambiguity would be problematic. The terminology "URI" implies that these values are not relative URI references.
Preview | Diff