- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Tue, 22 Sep 2009 10:09:16 -0700
- To: John Panzer <jpanzer@google.com>
- Cc: Eran Hammer-Lahav <eran@hueniverse.com>, "oauth@ietf.org" <oauth@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On Sep 21, 2009, at 2:56 PM, John Panzer wrote: > On the server side, one of the concerns in the past has been > security in shared hosting systems where e.g., basic auth data > should be handled by a secure container (Apache) and not passed on > in raw form to hosted CGI scripts. So some of this comes back to > what minimum level of hosting should be targeted by the > specification -- and how much it should bend over backwards to deal > with "challenged" environments. That is only a concern for Basic auth, AFAIK. Apache could tweak it to only forward unhandled non-Basic credentials to CGI or just a summary of what has been validated, though some indication of what needs to be forwarded would be useful. > My $.02 is that we should follow the HTTP spec (Authorization: and > WWW-Authenticate:) and take a minimum distance path to route around > limited environments if necessary (X-Authorization: and X-WWW- > Authenticate:, with exactly the same content, would be my proposal). Just follow the HTTP spec. Someone will implement it. If people try to bypass HTTP extensibility mechanisms with stupid hacks that get shipped in production software, Apache will add code to strip their information from the stream before anyone sees it. ....Roy
Received on Tuesday, 22 September 2009 17:10:11 UTC