W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [UMP] Proxy-Authorization

From: Tyler Close <tyler.close@gmail.com>
Date: Mon, 11 Jan 2010 12:40:36 -0800
Message-ID: <5691356f1001111240p7adb20am3669c4adfc3d38ff@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: public-webapps <public-webapps@w3.org>
On Sun, Jan 10, 2010 at 2:25 PM, Adam Barth <w3c@adambarth.com> wrote:
> I don't quite understand this part of that text:
>
> [[
> In this case, the request
> sent by the user-agent is not a uniform request; however, the request
> ultimately delivered to the resource host will be, since any
> Proxy-Authorization request header is removed by the proxy before
> forwarding the request to the resource host.
> ]]
>
> Concretely, suppose:
>
> 1) The user has authenticated to a proxy P using the
> Proxy-Authenticate / Proxy-Authentication protocol.
> 2) The user visits web site A which uses the UniformRequest API to
> generate a request R to web site B.
> 3) Based on that text, it sounds like R is delivered to P with the
> Proxy-Authentication information intact.  Presumably the proxy will
> forward the request to B.
> 4) B responds with "Access-Control-Allow-Origin: *".
>
> Now, is B's response delivered to A?

Yes, assuming that user-agent is configured to use that proxy server.
Note that the request forwarded to B does *not* have a
Proxy-Authorization header.

> More abstractly, why aren't we worrying about P misbehaving based on
> the ambient authority in R (i.e., the Proxy-Authentication
> information)?  Why do the security considerations for the
> Proxy-Authorization header differ from the security considerations for
> the Authorization header?

The resource host decides whether or not to accept a request, what
side-effects are caused, and what information is put in the response.
We want to prevent ambient authority from having an effect on these
decisions by the resource host. The proxy is presumably semantically
transparent and so has no impact on these decisions by the resource
host. For https: resources, this transparency is cryptographically
enforced by the SSL protocol, which tunnels the connection through the
proxy.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Monday, 11 January 2010 20:41:08 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:36 GMT