W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: #177: Realm required on challenges

From: Adrien de Croy <adrien@qbik.com>
Date: Tue, 26 Jul 2011 12:16:18 +1200
Message-ID: <4E2E0752.7080902@qbik.com>
To: Amos Jeffries <squid3@treenet.co.nz>
CC: ietf-http-wg@w3.org

Actually this whole thread is a diversion.  I'm not concerned about the 
spec in relation to intercepting.

My concern is how to specify the base URI when it's proxy auth (not 
intercepted).

The definitions of that refer to the site being requested, not the proxy 
itself.


On 26/07/2011 12:21 a.m., Amos Jeffries wrote:
> On 25/07/11 19:42, Adrien de Croy wrote:
>>
>>
>> On 25/07/2011 7:34 p.m., Adrien de Croy wrote:
>>>
>>>
>>> On 25/07/2011 6:21 p.m., Amos Jeffries wrote:
>>>> Really? what browsers respond to Proxy-Auth challenges when they
>>>> explicitly contacted the origin directly?
>>>
>>> all of them do. They don't know they are being intercepted by a proxy.
>>> They just think the site challenged them.
>>
>> sorry - to clarify, we don't challenge an intercepted connection with
>> 407 + Proxy-Authorize. That would be pointless since the client has no
>> knowledge of the proxy.
>>
>> We of course respond with 401 + WWW-Authorize.
>>
>
> I wondered. Having seen plenty of proxy-auth challenges get silently 
> rebuffed by the client agents.
>
> So, in this case you are not an authenticating proxy. But a proxy 
> claiming to _be_ the origin. And are thus bound by the origin 
> permitted behaviour. www-auth being *this* domain, should be naturally 
> bound to the domain by one end or the other, hopefully both.
>
> (I take it you know the usual result when this is tried? a constant 
> barrage of auth popups by the browser.)
>
> That also explains your (apparent) mistake in "use those creds for any 
> site you access through me".  Your text implied that it was a proxy 
> question. Not an origin question being posed by a lying proxy. And you 
> are right. Its intentionally not easy to pose that question if it was 
> bound firmly to domain+realm.
>  Sounds like good security intentionally getting in the way of a nasty 
> practice. I like it.
>
> AYJ
>

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
WinGate 7 beta out now - http://www.wingate.com/getlatest/
Received on Tuesday, 26 July 2011 00:16:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:46 GMT