- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Tue, 26 Jul 2011 00:21:35 +1200
- CC: ietf-http-wg@w3.org
On 25/07/11 19:42, Adrien de Croy wrote: > > > On 25/07/2011 7:34 p.m., Adrien de Croy wrote: >> >> >> On 25/07/2011 6:21 p.m., Amos Jeffries wrote: >>> Really? what browsers respond to Proxy-Auth challenges when they >>> explicitly contacted the origin directly? >> >> all of them do. They don't know they are being intercepted by a proxy. >> They just think the site challenged them. > > sorry - to clarify, we don't challenge an intercepted connection with > 407 + Proxy-Authorize. That would be pointless since the client has no > knowledge of the proxy. > > We of course respond with 401 + WWW-Authorize. > I wondered. Having seen plenty of proxy-auth challenges get silently rebuffed by the client agents. So, in this case you are not an authenticating proxy. But a proxy claiming to _be_ the origin. And are thus bound by the origin permitted behaviour. www-auth being *this* domain, should be naturally bound to the domain by one end or the other, hopefully both. (I take it you know the usual result when this is tried? a constant barrage of auth popups by the browser.) That also explains your (apparent) mistake in "use those creds for any site you access through me". Your text implied that it was a proxy question. Not an origin question being posed by a lying proxy. And you are right. Its intentionally not easy to pose that question if it was bound firmly to domain+realm. Sounds like good security intentionally getting in the way of a nasty practice. I like it. AYJ
Received on Monday, 25 July 2011 12:22:19 UTC