W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2008

Re: Security Requirements for HTTP, draft -00

From: Roy T. Fielding <fielding@gbiv.com>
Date: Fri, 1 Feb 2008 15:17:15 -0800
Message-Id: <D66FE2B1-768D-4599-8C1E-51188E3C8778@gbiv.com>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, HTTP Working Group <ietf-http-wg@w3.org>
To: Paul Leach <paulle@windows.microsoft.com>

On Feb 1, 2008, at 2:39 PM, Paul Leach wrote:
> [Paul Leach] Are you taking into account that, after an FBA,  
> subsequent requests to the same site are authorized by a cookie  
> (i.e., they have no auth headers at all), whereas with Basic every  
> request has an auth header?

It doesn't make any difference either way.  The notion that  
HTTP requests are almost entirely based on FBA is absurd.  It ignores  
fact that most HTTP requests aren't even made by browsers.

Received on Friday, 1 February 2008 23:17:10 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:44 UTC