On Wed, Jul 09, 2008 at 10:19:51AM +0100, Phil Blundell wrote:
> On Wed, 2008-07-09 at 08:39 +0200, Daniel Stenberg wrote:
> > I agree. Here's a link to the RFC4007 section describing it:
> >
> > http://tools.ietf.org/html/rfc4007#section-11
> >
> > Phil, how do you feel about poking the patch to work with this?

One thought that came to me about the URL proposal is whether it presents
a security risk. Embedding the scope into the URL means that a malicious
site could redirect a URL to a specific local network interface, bypassing
the routing tables on a machine. Chances are, it's no more of a risk than
accessing to an internal IPv4 address (e.g. 192.168.x.y), but even that
has been used in attacks (reprogramming a user's wireless router). It's
something to consider, anyway.

> Yah, I can have a go at that. I'd like to keep CURLOPT_SCOPE as well,
> though, because a separate option is fractionally more convenient in the
> particular use-case that my own application deals with. (In my case,
> the URL and scope arrive separately, and it would be a bit of a pain to
> manually unpick the URL and splice in the address scope, just so that
> libcurl can parse it out again.)

That seems redundant and some ambiguities would need to be addressed
(how would this option be handled on a redirect?), but there's precedent
(e.g. CURLOPT_PORT, CURLOPT_USERPWD).

>>> Dan

-- 
http://www.MoveAnnouncer.com              The web change of address service
          Let webmasters know that your web site has moved