- From: Paul Leach <paulle@windows.microsoft.com>
- Date: Wed, 20 Dec 2006 17:24:27 -0800
- To: "Travis Snoozy (Volt)" <a-travis@microsoft.com>, <ietf-http-wg@w3.org>
Authentication protocols that provide integrity protection can rely on the original wording to mean that they can include fields that proxies aren't allowed to modify in the integrity check. -----Original Message----- From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org] On Behalf Of Travis Snoozy (Volt) Sent: Wednesday, December 20, 2006 4:47 PM To: ietf-http-wg@w3.org Subject: Intent of 14.38 Server Section 14.38 states: "If the response is being forwarded through a proxy, the proxy application MUST NOT modify the Server response-header. Instead, it MUST include a Via field (as described in Section 14.45)." Taken literally, this requirement overrides the ability for a proxy to replace whitespace, and totally prevents a proxy from sanitizing the field-value. Is this the intent? The mention of Via seems to indicate otherwise -- that the intent is to prevent proxies from inserting their own server string into the Server header. Another problem is that the term "modify" is not defined precisely. Does removal of a header count as modification? Any thoughts? -- Travis
Received on Thursday, 21 December 2006 01:24:50 UTC