- From: John C. Mallery <jcma@csail.mit.edu>
- Date: Wed, 12 Jul 2006 14:47:59 +0000
- To: ietf-http-wg@w3.org
Few browsers seem to have implemented HTTP 1.1 Digest Authentication correctly, at least on the Mac. Digest authentication of proxy requests seems to be a major problem area. Firefox 2.0b1 seems to be the best implementation on the mac. 1. I note, however, that it computes the digest based on the relative URI of the absolute URI requested of the proxy. RFC 2617 says that the uri should be digest-uri-value = request- uri ; As specified by HTTP/1.1 RFC 2616 says that that the Request-URI = "*" | absoluteURI | abs_path | authority Further, RFC 2617 says: "The authenticating server must assure that the resource designated by the "uri" directive is the same as the resource specified in the Request-Line; if they are not, the server SHOULD return a 400 Bad Request error." On my reading of the specs, this is a bug. What do people think? Should the specification be clarified in this regard? What should be done about backward compatibility for buggy clients? 2. If the absoluteURI is used, there is an issue of cannonicalizing the case of the scheme, host, and any escape codes. These are not treated by RFC 2617. Comments?
Received on Wednesday, 12 July 2006 15:19:24 UTC