libcurl-security.3: mention the URL standards problems too

author: Daniel Stenberg <daniel@haxx.se> 2018-02-13 12:05:43 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2018-02-13 12:05:43 +0100
commit: 03b7b2e8fc786f090599b6b4d32bb0c9cc03165a (patch)
tree: 02d1afedb929dc7bd5da8508ad3d0b6ca88ff143
parent: 390184205579941f0acfa1955abd48b36824a04c (diff)
download: curl-03b7b2e8fc786f090599b6b4d32bb0c9cc03165a.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/docs/libcurl/libcurl-security.3 b/docs/libcurl/libcurl-security.3
index 63dad5de0..3334d581c 100644
--- a/docs/libcurl/libcurl-security.3
+++ b/docs/libcurl/libcurl-security.3
@@ -226,6 +226,16 @@ Remedies:
  - libcurl programs can use \fICURLOPT_PROTOCOLS(3)\fP
  - consider not allowing the user to set the full URL
  - consider strictly filtering input to only allow specific choices
+.SH "RFC 3986 vs WHATWG URL"
+curl supports URLs mostly according to how they are defined in RFC 3986, and
+has done so since the beginning.
+
+Web browsers mostly adhere to the WHATWG URL Specification.
+
+This deviance makes some URLs copied between browsers (or returned over HTTP
+for redirection) and curl not work the same way. This can mislead users into
+getting the wrong thing, connecting to the wrong host or otherwise not work
+identically.
 .SH "FTP uses two connections"
 When performing an FTP transfer, two TCP connections are used: one for setting
 up the transfer and one for the actual data.
author	Daniel Stenberg <daniel@haxx.se>	2018-02-13 12:05:43 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2018-02-13 12:05:43 +0100
commit	03b7b2e8fc786f090599b6b4d32bb0c9cc03165a (patch)
tree	02d1afedb929dc7bd5da8508ad3d0b6ca88ff143
parent	390184205579941f0acfa1955abd48b36824a04c (diff)
download	curl-03b7b2e8fc786f090599b6b4d32bb0c9cc03165a.tar.gz