From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 13 Feb 2018 11:05:43 +0000 (+0100)
Subject: libcurl-security.3: mention the URL standards problems too
X-Git-Tag: curl-7_59_0~80
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=03b7b2e8fc786f090599b6b4d32bb0c9cc03165a;p=thirdparty%2Fcurl.git

libcurl-security.3: mention the URL standards problems too
---

diff --git a/docs/libcurl/libcurl-security.3 b/docs/libcurl/libcurl-security.3
index 63dad5de03..3334d581ce 100644
--- a/docs/libcurl/libcurl-security.3
+++ b/docs/libcurl/libcurl-security.3
@@ -226,6 +226,16 @@ Remedies:
  - libcurl programs can use \fICURLOPT_PROTOCOLS(3)\fP
  - consider not allowing the user to set the full URL
  - consider strictly filtering input to only allow specific choices
+.SH "RFC 3986 vs WHATWG URL"
+curl supports URLs mostly according to how they are defined in RFC 3986, and
+has done so since the beginning.
+
+Web browsers mostly adhere to the WHATWG URL Specification.
+
+This deviance makes some URLs copied between browsers (or returned over HTTP
+for redirection) and curl not work the same way. This can mislead users into
+getting the wrong thing, connecting to the wrong host or otherwise not work
+identically.
 .SH "FTP uses two connections"
 When performing an FTP transfer, two TCP connections are used: one for setting
 up the transfer and one for the actual data.