W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

WGLC issue: "Realms and scope" in p7

From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 15 Mar 2012 20:39:32 -0700
Message-ID: <CABkgnnUShc0fP_xX2FcuXuKBx2oQ_p2G4eK8PVQrqrfpdn8mug@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
There's an implicit acknowledgement that one resource does not know
about another (from p3):

   A cache cannot assume that a representation with a Content-Location
   different from the URI used to retrieve it can be used to respond to
   later requests on that Content-Location URI.

However, the mechanism we use (and rely upon for performance) from p7
makes no concessions on that point.  A server that operates separate
fiefdoms by allocating different portions of path-space cannot prevent
one vassal state from learning the secrets of any other that uses
these authentication mechanisms we so love to hate.

For instance, if "/kind/and/naive" is authenticated in the realm
"puppies", then "/kinda/shifty" can harvest their authentication
information if a logged in user agent navigates there. See "log out"
discussion for exacerbating stuff.  User agents don't know (or care)
for this distinction.

Of course, this is all pretty obvious, but is this worth acknowledging
in Section 6?
Received on Friday, 16 March 2012 03:40:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:57 GMT