Clean up references to URL vs URI vs application/x-www-form-urlencoded

[aaronpk]

There are still some references to old URI specs like RFC3986, which have since been replaced by various IETF specs as well as the WHATWG URL spec.

[ioggstream]

@aaronpk I asked to the HTTP ML and it seems there are many doubts on that point. In particular,

@bagder (curl's author) referenced this post

The current state of URLs and URIs cannot be described as anything less than a horrible mess, a security nightmare [*] and an infected area that lots of persons will not go near due to the past experiences and personal conflicts.

[*] = https://daniel.haxx.se/blog/2022/01/10/dont-mix-url-parsers/

and @royfielding wrote this interesting email https://lists.w3.org/Archives/Public/ietf-http-wg/2022AprJun/0173.html that iiuc states that

What URI (RFC3986) defines is a standard naming format that uses
hierarchical name delegation to cover the entire Internet with identifiers.
The WHATWG url spec defines a set of rules for interpreting references
and placing them in a url data structure within browser memory. url != URL.
href != URL. The spec says that this is somehow replacing URI, but it isn't
even defining the same thing.

As of now, the application/x-www-form-urlencoded media type registration references the WHATWG url spec.

I think that in OAuth we should:

• consistently refer to IETF URL specifications;
• avoid interchangeably use URI and URL when pointing to a dereferenceable location (e.g. a server URL);
• only refer to WHATWG spec to reference the x-www-form-urlencoded specification.

This should minimize the security risks @bagder highlights in his post
and provide a consistent language for implementers.

Since I am not a veteran of the HTTP wg, I suggest asking for a preliminary review of this spec to the HTTP chairs: I think it will really improve the security profile of this great work.

HTH,
R

See also #119