Hacker News new | comments | show | ask | jobs | submit login

From the spec:

> Servers must not locate the actual change password page at the change password url, per RFC5785 §1.1 Appropriate Use of Well-Known URIs.

I scanned the RFC but can't fine the prohibition against this. Curious, why does it matter? Just because .well-known URLs are not meant to be exposed to the user?






That section says:

   There are a number of possible ways that applications could use Well-
   known URIs.  However, in keeping with the Architecture of the World-
   Wide Web [W3C.REC-webarch-20041215], well-known URIs are not intended
   for general information retrieval or establishment of large URI
   namespaces on the Web.  Rather, they are designed to facilitate
   discovery of information on a site when it isn't practical to use
   other mechanisms; for example, when discovering policy that needs to
   be evaluated before a resource is accessed, or when using multiple
   round-trips is judged detrimental to performance.
I am guessing they consider “general information retrieval” and “URI namespaces” to exclude it.

I did see that section, but don't see how it follows. Putting your PW reset page at this address would be using the URI spec for exactly it's intent, not “general information retrieval”. My read of this clause is just that they don't want you to start using .well-known as your primary namespace or cluttering the registrations with junk that's not broadly applicable.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: