Some comments on blocking of authentication credentials: When making a cross-site access request <http://dev.w3.org/2006/waf/access-control/#cross-site-access-request>, user agents /should/ ensure to: "Not allow the author to set cookies or authentication credentials for the request, as this would allow for a distributed cookie or credentials search." and Why can cookies and authentication information /not/ be provided by the script author for the request? This would allow dictionary based, distributed, cookies / user credentials search. There are schemes for Authorization: which do not use passwords and therefore do not have a dictionary attack problem; one of them is OAuth (http://oauth.net). It uses the Authorization: header by preference and can be used within a browser. (OpenSocial is in fact currently relying on OAuth for authorization of proxied cross-site requests.) Is the intent to block the use of Authorization: headers completely, or only the use of Authorization: Basic and the like? If the former, I suggest that hindering the use of newer, more secure mechanisms for authentication reduces security rather than enhancing it. -JohnReceived on Monday, 4 February 2008 19:07:32 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 4 February 2008 19:07:32 GMT