W3C home > Mailing lists > Public > public-webapi@w3.org > July 2007

Re: [xhr] proxy-connection header

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 25 Jul 2007 16:30:22 +0200
To: "Jonas Sicking" <jonas@sicking.cc>, "Web APIs WG" <public-webapi@w3.org>
Message-ID: <op.tv0ykwxt64w2qv@annevk-t60.oslo.opera.com>

On Wed, 25 Jul 2007 15:52:06 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> The part I'm worried about is that the Authorization header will be  
> picked up by your (the authors) web sever. However Proxy-Authorization  
> will be picked up by the proxy. Using this you can potentially launch a  
> distributed brute-force password attack against a company proxy. This is  
> why I'm in general thinking that disallowing Proxy-* might be a good  
> idea.

Ok, fair enough:  

Is that better?

Anne van Kesteren
Received on Wednesday, 25 July 2007 14:30:34 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:16:24 UTC