Anne van Kesteren wrote: > On Mon, 23 Jul 2007 08:37:26 +0200, Jonas Sicking <jonas@sicking.cc> wrote: >> [...] >> >> So I think we should disallow this header since we're disallowing >> "Connection" as it might otherwise confuse proxies. > > Agreed. I have not added Proxy-Authorization as setting the > Authorization header is allowed as well. The part I'm worried about is that the Authorization header will be picked up by your (the authors) web sever. However Proxy-Authorization will be picked up by the proxy. Using this you can potentially launch a distributed brute-force password attack against a company proxy. This is why I'm in general thinking that disallowing Proxy-* might be a good idea. / JonasReceived on Wednesday, 25 July 2007 13:52:50 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT