From 03b7b2e8fc786f090599b6b4d32bb0c9cc03165a Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 13 Feb 2018 12:05:43 +0100
Subject: libcurl-security.3: mention the URL standards problems too

---
 docs/libcurl/libcurl-security.3 | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'docs/libcurl/libcurl-security.3')

diff --git a/docs/libcurl/libcurl-security.3 b/docs/libcurl/libcurl-security.3
index 63dad5de0..3334d581c 100644
--- a/docs/libcurl/libcurl-security.3
+++ b/docs/libcurl/libcurl-security.3
@@ -226,6 +226,16 @@ Remedies:
  - libcurl programs can use \fICURLOPT_PROTOCOLS(3)\fP
  - consider not allowing the user to set the full URL
  - consider strictly filtering input to only allow specific choices
+.SH "RFC 3986 vs WHATWG URL"
+curl supports URLs mostly according to how they are defined in RFC 3986, and
+has done so since the beginning.
+
+Web browsers mostly adhere to the WHATWG URL Specification.
+
+This deviance makes some URLs copied between browsers (or returned over HTTP
+for redirection) and curl not work the same way. This can mislead users into
+getting the wrong thing, connecting to the wrong host or otherwise not work
+identically.
 .SH "FTP uses two connections"
 When performing an FTP transfer, two TCP connections are used: one for setting
 up the transfer and one for the actual data.
-- 
cgit v1.2.3