W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [UMP] Proxy-Authorization

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 10 Jan 2010 14:25:28 -0800
Message-ID: <7789133a1001101425o314d9e39t66f8fb9a9e500e06@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: public-webapps <public-webapps@w3.org>
I don't quite understand this part of that text:

[[
In this case, the request
sent by the user-agent is not a uniform request; however, the request
ultimately delivered to the resource host will be, since any
Proxy-Authorization request header is removed by the proxy before
forwarding the request to the resource host.
]]

Concretely, suppose:

1) The user has authenticated to a proxy P using the
Proxy-Authenticate / Proxy-Authentication protocol.
2) The user visits web site A which uses the UniformRequest API to
generate a request R to web site B.
3) Based on that text, it sounds like R is delivered to P with the
Proxy-Authentication information intact.  Presumably the proxy will
forward the request to B.
4) B responds with "Access-Control-Allow-Origin: *".

Now, is B's response delivered to A?

More abstractly, why aren't we worrying about P misbehaving based on
the ambient authority in R (i.e., the Proxy-Authentication
information)?  Why do the security considerations for the
Proxy-Authorization header differ from the security considerations for
the Authorization header?

Adam


On Sun, Jan 10, 2010 at 2:14 PM, Tyler Close <tyler.close@gmail.com> wrote:
> On Sat, Jan 9, 2010 at 10:50 AM, Adam Barth <w3c@adambarth.com> wrote:
>> The UMP spec says:
>>
>> [[
>> The user agent must not add any information obtained from: HTTP
>> cookies, HTTP Auth headers, client certificates, or the referring
>> resource, including its origin (other than the request parameters).
>> ]]
>>
>> Does this include the Proxy-Authorization header?  If so, how can
>> clients behind proxies that require authorization use web sites that
>> depend on UMP?
>
> Good catch. I've updated the text on sending a uniform request to
> account for this proxy information. The new text is:
>
> """
> 3.2 Sending a Uniform Request
>
> The content of a uniform request is determined solely by the provided
> uniform request parameters, the user-agent's response cache and the
> required structure of an HTTP request. If a user-agent is configured
> to send the request via a proxy, instead of directly to the host
> specified by the request URL, this proxy configuration information can
> be used to send the request to the proxy. In this case, the request
> sent by the user-agent is not a uniform request; however, the request
> ultimately delivered to the resource host will be, since any
> Proxy-Authorization request header is removed by the proxy before
> forwarding the request to the resource host. Other than this proxy
> information, the user-agent must not augment the sent request with any
> data that identifies the user or the origin of the request. In
> particular, the user-agent must not add any information obtained from:
> HTTP cookies, HTTP Auth headers, client certificates, or the referring
> resource, including its origin (other than the request parameters).
> """
>
> See:
> http://dev.w3.org/2006/waf/UMP/#request-sending
>
> --Tyler
>
> --
> "Waterken News: Capability security on the Web"
> http://waterken.sourceforge.net/recent.html
>
Received on Sunday, 10 January 2010 22:26:20 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:36 GMT