- From: Adrien de Croy <adrien@qbik.com>
- Date: Tue, 02 Jun 2009 14:15:32 +1200
- To: HTTP Working Group <ietf-http-wg@w3.org>
There is an ambiguity brought about by the requirements of RFC2616 to require origin servers to support absolute URI in requests (RFC2616 s 19.6.1.1). If you consider the case of a proxy which is also an origin server, then you get a problem when the proxy receives a request for a URI for which the proxy is an origin server, and that request contains an absolute URI, and the proxy requires the client to be authenticated. In such cases, it's impossible to tell whether to send a Proxy-Authenticate, or a WWW-Authenticate header in the response, since you can't tell from the syntax of the request whether the client believes it is talking to a proxy or an origin server. I've never seen a client send an absoluteURI in a request to an origin server, so the obvious solution is to ignore RFC 19.6.1.1, and base the decision on the semantics of the request. However that doesn't seem like a great option if clients are one day going to start send requests to origin servers with absolute URIs. Should this requirement be deprecated? Otherwise how should this case be handled? A proxy that can also be an origin server needs to know whether the client believes it's talking to a proxy or not for auth and other reasons (e.g. default handling of origin-server requests for a proxy vs proxy requests). Regards Adrien -- Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Tuesday, 2 June 2009 02:12:51 UTC