W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2007

Re: NEW ISSUE: message-body in CONNECT response

From: Adrien de Croy <adrien@qbik.com>
Date: Wed, 28 Nov 2007 12:44:13 +1300
Message-ID: <474CABCD.7020205@qbik.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
CC: Eric Lawrence <ericlaw@exchange.microsoft.com>, Jamie Lokier <jamie@shareable.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, Dan Winship <dan.winship@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>



Roy T. Fielding wrote:
>
> On Nov 27, 2007, at 1:35 PM, Eric Lawrence wrote:
>> Vis--vis the idea of responding to a CONNECT request with a HTML 2xx 
>> "login" page, it may be worth mentioning that this does not work in 
>> IE6 or IE7. A user-agent which does support such responses must be 
>> very careful to ensure that the security context of the returned 
>> content is corrected to reflect its insecure nature.
>
> Yep, that is why the message-body is required to be empty.
I'm not sure about the significance of "security context" in this case, 
since this is a message from the proxy to the UA.

In any case, there are numerous security issues with CONNECT. The main 
one being it's very commonly used to bypass restrictions or scanning.  
But that's a proxy policy issue (albeit non-trivial to solve).

So I guess then a proxy wishing to prevent a CONNECT command from 
succeeding without prior established credentials, but which doesn't have 
the option of using an HTTP auth mechanism can only really send back a 
401, and the user must establish credentials some other way first.

Adrien



>
> ....Roy
>
>

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Tuesday, 27 November 2007 23:43:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:23 GMT