W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

RE: Intent of 14.38 Server

From: Paul Leach <paulle@windows.microsoft.com>
Date: Wed, 20 Dec 2006 17:24:27 -0800
Message-ID: <76323E9F0A911944A4E9225FACFC55BA031F5F64@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>
To: "Travis Snoozy (Volt)" <a-travis@microsoft.com>, <ietf-http-wg@w3.org>

Authentication protocols that provide integrity protection can rely on
the original wording to mean that they can include fields that proxies
aren't allowed to modify in the integrity check.

-----Original Message-----
From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org]
On Behalf Of Travis Snoozy (Volt)
Sent: Wednesday, December 20, 2006 4:47 PM
To: ietf-http-wg@w3.org
Subject: Intent of 14.38 Server


Section 14.38 states:

"If the response is being forwarded through a proxy, the proxy
application MUST NOT modify the Server response-header. Instead, it MUST
include a Via field (as described in Section 14.45)."

Taken literally, this requirement overrides the ability for a proxy to
replace whitespace, and totally prevents a proxy from sanitizing the
field-value. Is this the intent? The mention of Via seems to indicate
otherwise -- that the intent is to prevent proxies from inserting their
own server string into the Server header.

Another problem is that the term "modify" is not defined precisely. Does
removal of a header count as modification?

Any thoughts?

-- Travis
Received on Thursday, 21 December 2006 01:24:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT