W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: #78: Relationship between 401, Authorization and WWW-Authenticate

From: Willy Tarreau <w@1wt.eu>
Date: Tue, 26 Jul 2011 00:44:02 +0200
To: Julian Reschke <julian.reschke@gmx.de>
Cc: "Manger, James H" <James.H.Manger@team.telstra.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20110725224402.GA31941@1wt.eu>
Hi Julian,

On Mon, Jul 25, 2011 at 11:54:07PM +0200, Julian Reschke wrote:
> Maybe...:
> 
> Use of the Authorization header to transfer credentials implies 
> "Cache-Control: private" [ref] and thus affects cacheability of 
> responses. Thus, definitions of new authentication schemes that do not 
> use "Authorization" will need to ensure that response messages do not 
> leak in an unintended way, for instance by specifying "Cache-Control" or 
> "Vary: *" [ref] explicitly.
> 
> Feedback appreciated,

I can read the first sentence in two ways :
  - if a server or intermediary receives an Authorization header, it must
    assume that "Cache-Control: private" is implied
  - if a client wants to emit an Authorization header, it must also add
    a "Cache-Control: private" header

I think the former was meant given the second sentence, though I'm not
100% certain. If so, maybe we should focus on the recipient of the message
and replace "Use of" with "Presence of" (or anything equivalent).

The second part is clear enough however.

Regards,
Willy
Received on Monday, 25 July 2011 22:44:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:46 GMT