- From: Adrien de Croy <adrien@qbik.com>
- Date: Wed, 28 Nov 2007 12:44:13 +1300
- To: "Roy T. Fielding" <fielding@gbiv.com>
- CC: Eric Lawrence <ericlaw@exchange.microsoft.com>, Jamie Lokier <jamie@shareable.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, Dan Winship <dan.winship@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Roy T. Fielding wrote: > > On Nov 27, 2007, at 1:35 PM, Eric Lawrence wrote: >> Vis-à-vis the idea of responding to a CONNECT request with a HTML 2xx >> "login" page, it may be worth mentioning that this does not work in >> IE6 or IE7. A user-agent which does support such responses must be >> very careful to ensure that the security context of the returned >> content is corrected to reflect its insecure nature. > > Yep, that is why the message-body is required to be empty. I'm not sure about the significance of "security context" in this case, since this is a message from the proxy to the UA. In any case, there are numerous security issues with CONNECT. The main one being it's very commonly used to bypass restrictions or scanning. But that's a proxy policy issue (albeit non-trivial to solve). So I guess then a proxy wishing to prevent a CONNECT command from succeeding without prior established credentials, but which doesn't have the option of using an HTTP auth mechanism can only really send back a 401, and the user must establish credentials some other way first. Adrien > > ....Roy > > -- Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Tuesday, 27 November 2007 23:43:32 UTC