From e0c721b680d0977013ef2a14ba578388c01bd331 Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 15 Jun 2015 18:29:21 +0200
Subject: [PATCH] Make it non-conforming to place a username and/or password in
 a URL. Fixes https://www.w3.org/Bugs/Public/show_bug.cgi?id=27516

---
 url.bs   | 46 +++++++++++++---------------------------------
 url.html | 56 ++++++++++++++++----------------------------------------
 2 files changed, 29 insertions(+), 73 deletions(-)

diff --git a/url.bs b/url.bs
index cc7455b2..c5926485 100644
--- a/url.bs
+++ b/url.bs
@@ -765,27 +765,9 @@ a <a lt='URL query'>query</a>.
 <a lt='URL parser'>parsed</a>, a
 <a>base URL</a> must be in scope.
 
-<p>A <dfn id=concept-scheme-relative-url lt='scheme-relative URL'>scheme-relative URL</dfn> must be
-"<code>//</code>", optionally followed by
-<a lt='URL userinfo'>userinfo</a> and "<code>@</code>",
-followed by a <a>host</a>, optionally followed
-by "<code>:</code>" and a <a lt='URL port'>port</a>,
-optionally followed by an
-<a>absolute-path-relative URL</a>.
-
-<p><dfn id=concept-url-userinfo lt='URL userinfo'>Userinfo</dfn> must be a
-<a lt='URL username'>username</a>, optionally followed by a
-"<code>:</code>" and a
-<a lt='URL password'>password</a>.
-
-<p>A <a lt='URL username'>username</a> must be zero or more
-<a>URL units</a>, excluding "<code>/</code>",
-"<code>:</code>, "<code>?</code>", and "<code>@</code>".
-<!-- password without ":" (sorted on ASCII position) -->
-
-<p>A <a lt='URL password'>password</a> must be zero or more
-<a>URL units</a>, excluding "<code>/</code>",
-"<code>?</code>", and "<code>@</code>".
+<p>A <dfn id=concept-scheme-relative-url>scheme-relative URL</dfn> must be
+"<code>//</code>", followed by a <a>host</a>, optionally followed by "<code>:</code>" and
+a <a lt="URL port">port</a>, optionally followed by an <a>absolute-path-relative URL</a>.
 
 <p>A <a lt='URL port'>port</a> must be zero or more
 <a>ASCII digits</a>.
@@ -859,6 +841,12 @@ U+100000 to U+10FFFD.
 <p>The <dfn>URL units</dfn> are <a>URL code points</a> and
 <a lt="percent-encoded byte">percent-encoded bytes</a>.
 
+<hr>
+
+<p class="note no-backref">There is no valid way to express a
+<a lt="URL username">username</a> or <a lt="URL password">password</a> within a
+<a>URL</a>.
+
 
 <h3 id=url-parsing>URL parsing</h3>
 
@@ -1249,8 +1237,9 @@ optionally with an <a>encoding</a>
       <p>If <a>c</a> is "<code>@</code>", run these substeps:
 
       <ol>
-       <li><p>If the <var>@ flag</var> is set,
-       <a>parse error</a>, prepend "<code>%40</code>" to
+       <li><p><a>Parse error</a>.
+
+       <li><p>If the <var>@ flag</var> is set, prepend "<code>%40</code>" to
        <var>buffer</var>.
 
        <li><p>Set the <var>@ flag</var>.
@@ -1259,16 +1248,7 @@ optionally with an <a>encoding</a>
         <p>For each <var>code point</var> in <var>buffer</var>, run these substeps:
 
         <ol>
-         <li><p>If <var>code point</var> is U+0009, U+000A, or U+000D,
-         <a>parse error</a>, continue.
-
-         <li><p>If <var>code point</var> is not a
-         <a lt="URL code points">URL code point</a> and not
-         "<code>%</code>", <a>parse error</a>.
-
-         <li><p>If <var>code point</var> is "<code>%</code>" and
-         <a>remaining</a> does not start with two
-         <a>ASCII hex digits</a>, <a>parse error</a>.
+         <li><p>If <var>code point</var> is U+0009, U+000A, or U+000D, continue.
 
          <li><p>If <var>code point</var> is "<code>:</code>" and
          <var>url</var>'s
diff --git a/url.html b/url.html
index c7d0673b..cf289403 100644
--- a/url.html
+++ b/url.html
@@ -1189,29 +1189,8 @@ <h3 class="heading settled" data-level="4.1" id="url-writing"><span class="secno
 
 </p>
    <p>A <dfn data-dfn-type="dfn" data-noexport="" id="concept-scheme-relative-url">scheme-relative URL<a class="self-link" href="#concept-scheme-relative-url"></a></dfn> must be
-"<code>//</code>", optionally followed by
-<a data-link-type="dfn" href="#concept-url-userinfo">userinfo</a> and "<code>@</code>",
-followed by a <a data-link-type="dfn" href="#concept-host">host</a>, optionally followed
-by "<code>:</code>" and a <a data-link-type="dfn" href="#concept-url-port">port</a>,
-optionally followed by an
-<a data-link-type="dfn" href="#concept-absolute-path-relative-url">absolute-path-relative URL</a>.
-
-</p>
-   <p><dfn data-dfn-type="dfn" data-lt="URL userinfo" data-noexport="" id="concept-url-userinfo">Userinfo<a class="self-link" href="#concept-url-userinfo"></a></dfn> must be a
-<a data-link-type="dfn" href="#concept-url-username">username</a>, optionally followed by a
-"<code>:</code>" and a
-<a data-link-type="dfn" href="#concept-url-password">password</a>.
-
-</p>
-   <p>A <a data-link-type="dfn" href="#concept-url-username">username</a> must be zero or more
-<a data-link-type="dfn" href="#url-units">URL units</a>, excluding "<code>/</code>",
-"<code>:</code>, "<code>?</code>", and "<code>@</code>".
-
-
-</p>
-   <p>A <a data-link-type="dfn" href="#concept-url-password">password</a> must be zero or more
-<a data-link-type="dfn" href="#url-units">URL units</a>, excluding "<code>/</code>",
-"<code>?</code>", and "<code>@</code>".
+"<code>//</code>", followed by a <a data-link-type="dfn" href="#concept-host">host</a>, optionally followed by "<code>:</code>" and
+a <a data-link-type="dfn" href="#concept-url-port">port</a>, optionally followed by an <a data-link-type="dfn" href="#concept-absolute-path-relative-url">absolute-path-relative URL</a>.
 
 </p>
    <p>A <a data-link-type="dfn" href="#concept-url-port">port</a> must be zero or more
@@ -1293,6 +1272,14 @@ <h3 class="heading settled" data-level="4.1" id="url-writing"><span class="secno
    <p>The <dfn data-dfn-type="dfn" data-noexport="" id="url-units">URL units<a class="self-link" href="#url-units"></a></dfn> are <a data-link-type="dfn" href="#url-code-points">URL code points</a> and
 <a data-link-type="dfn" href="#percent_encoded-byte">percent-encoded bytes</a>.
 
+</p>
+   <hr>
+
+
+   <p class="note no-backref" role="note">There is no valid way to express a
+<a data-link-type="dfn" href="#concept-url-username">username</a> or <a data-link-type="dfn" href="#concept-url-password">password</a> within a
+<a data-link-type="dfn" href="#concept-url">URL</a>.
+
 
 </p>
    <h3 class="heading settled" data-level="4.2" id="url-parsing"><span class="secno">4.2. </span><span class="content">URL parsing</span><a class="self-link" href="#url-parsing"></a></h3>
@@ -1875,8 +1862,11 @@ <h3 class="heading settled" data-level="4.2" id="url-parsing"><span class="secno
          <ol>
        
           <li>
-           <p>If the <var>@ flag</var> is set,
-       <a data-link-type="dfn" href="#parse-error">parse error</a>, prepend "<code>%40</code>" to
+           <p><a data-link-type="dfn" href="#parse-error">Parse error</a>.
+
+       </p>
+          <li>
+           <p>If the <var>@ flag</var> is set, prepend "<code>%40</code>" to
        <var>buffer</var>.
 
        </p>
@@ -1892,20 +1882,7 @@ <h3 class="heading settled" data-level="4.2" id="url-parsing"><span class="secno
            <ol>
          
             <li>
-             <p>If <var>code point</var> is U+0009, U+000A, or U+000D,
-         <a data-link-type="dfn" href="#parse-error">parse error</a>, continue.
-
-         </p>
-            <li>
-             <p>If <var>code point</var> is not a
-         <a data-link-type="dfn" href="#url-code-points">URL code point</a> and not
-         "<code>%</code>", <a data-link-type="dfn" href="#parse-error">parse error</a>.
-
-         </p>
-            <li>
-             <p>If <var>code point</var> is "<code>%</code>" and
-         <a data-link-type="dfn" href="#remaining">remaining</a> does not start with two
-         <a data-link-type="dfn" href="#ascii-hex-digits">ASCII hex digits</a>, <a data-link-type="dfn" href="#parse-error">parse error</a>.
+             <p>If <var>code point</var> is U+0009, U+000A, or U+000D, continue.
 
          </p>
             <li>
@@ -4502,7 +4479,6 @@ <h3 class="no-num heading settled" id="index-defined-here"><span class="content"
    <li>URL serializer, <a href="#concept-url-serializer">4.3</a>
    <li>URL units, <a href="#url-units">4.1</a>
    <li>URL(url, base), <a href="#dom-url-urlurl-base">6.1</a>
-   <li>URL userinfo, <a href="#concept-url-userinfo">4.1</a>
    <li>URL username, <a href="#concept-url-username">4</a>
    <li>URLUtils, <a href="#urlutils">6</a>
    <li>URLUtils input, <a href="#concept-urlutils-input">6</a>