W3C home > Mailing lists > Public > public-webapi@w3.org > July 2007

Re: [xhr] proxy-connection header

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 25 Jul 2007 06:52:06 -0700
Message-ID: <46A75586.1020805@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>, Web APIs WG <public-webapi@w3.org>

Anne van Kesteren wrote:
> On Mon, 23 Jul 2007 08:37:26 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>> [...]
>>
>> So I think we should disallow this header since we're disallowing 
>> "Connection" as it might otherwise confuse proxies.
> 
> Agreed. I have not added Proxy-Authorization as setting the 
> Authorization header is allowed as well.

The part I'm worried about is that the Authorization header will be 
picked up by your (the authors) web sever. However Proxy-Authorization 
will be picked up by the proxy. Using this you can potentially launch a 
distributed brute-force password attack against a company proxy. This is 
why I'm in general thinking that disallowing Proxy-* might be a good idea.

/ Jonas
Received on Wednesday, 25 July 2007 13:52:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT