- From: Jim Gettys <jg@pa.dec.com>
- Date: Tue, 2 Sep 1997 12:26:33 -0700
- To: Ari Luotonen <luotonen@netscape.com>
- Cc: John Franks <john@math.nwu.edu>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
I agree with Ari. There is a security consideration hiding here, though.... If someone has authenticated themselves on a realm corresponding to http://host/dir1, the browser should not try to present those credentials to authenticate themselves at http://host/dir2. (i.e. should limit themselves to the same region of namespace that the first realm was observed for). Otherwise, one will be presenting a username and password to potentially a different agent that may then capture and/or attack using it (particularly for basic, not one of the world's best security mechanisms). I don't remember any such security consideration in the current document. - Jim
Received on Tuesday, 2 September 1997 12:36:55 UTC