- From: Dave Kristol <dmk@research.bell-labs.com>
- Date: Thu, 20 Aug 1998 15:16:13 -0400 (EDT)
- To: http-wg@hplb.hpl.hp.com
Section 3.2.2.5
The authenticating server must assure that the document
designated by the "uri" parameter is the same as the document
served. The purpose of duplicating information from the request
URL in this field is to deal with the possibility that an
intermediate proxy may alter the client's request. This altered
(but presumably semantically equivalent) request would not result
in the same digest as that calculated by the client.
Let's say the URL is "http://example.com/foobar". digest-uri-value
can be any HTTP/1.1 request-uri. Should the client set uri="/foobar"
or uri="http://example.com/foobar"? Does the answer depend on whether
the client connects to example.com through a proxy. (I hope not.)
An HTTP/1.1 server at example.com can legitimately get either of these
request lines:
GET /foobar HTTP/1.1
or GET http://example.com/foobar HTTP/1.1
(An HTTP/1.1 proxy could, for example, pass the second line to the
origin server.)
The origin server is supposed to compare the digest-uri-value and the
request-uri. It could thus find itself comparing the abs_path and
absoluteURI forms, one from uri=, the other from reguest-uri. At the
very least, I think the spec. should alert implementors to that
possibility.
(And I assume the correct behavior is to respond with 400 Bad Request
if there's a mismatch.)
Dave Kristol
Received on Thursday, 20 August 1998 12:19:26 UTC