W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: #177: Realm required on challenges

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Tue, 26 Jul 2011 00:21:35 +1200
Message-ID: <4E2D5FCF.6010209@treenet.co.nz>
CC: ietf-http-wg@w3.org
On 25/07/11 19:42, Adrien de Croy wrote:
>
>
> On 25/07/2011 7:34 p.m., Adrien de Croy wrote:
>>
>>
>> On 25/07/2011 6:21 p.m., Amos Jeffries wrote:
>>> Really? what browsers respond to Proxy-Auth challenges when they
>>> explicitly contacted the origin directly?
>>
>> all of them do. They don't know they are being intercepted by a proxy.
>> They just think the site challenged them.
>
> sorry - to clarify, we don't challenge an intercepted connection with
> 407 + Proxy-Authorize. That would be pointless since the client has no
> knowledge of the proxy.
>
> We of course respond with 401 + WWW-Authorize.
>

I wondered. Having seen plenty of proxy-auth challenges get silently 
rebuffed by the client agents.

So, in this case you are not an authenticating proxy. But a proxy 
claiming to _be_ the origin. And are thus bound by the origin permitted 
behaviour. www-auth being *this* domain, should be naturally bound to 
the domain by one end or the other, hopefully both.

(I take it you know the usual result when this is tried? a constant 
barrage of auth popups by the browser.)

That also explains your (apparent) mistake in "use those creds for any 
site you access through me".  Your text implied that it was a proxy 
question. Not an origin question being posed by a lying proxy. And you 
are right. Its intentionally not easy to pose that question if it was 
bound firmly to domain+realm.
  Sounds like good security intentionally getting in the way of a nasty 
practice. I like it.

AYJ
Received on Monday, 25 July 2011 12:22:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:46 GMT