Re: Same Origin Policy and HTTP Authentication

* Mark Nottingham wrote:
>Changing how HTTP authentication works is explicitly out of scope for
>this WG, although you will likely find people willing to discuss it

Well, "It will also incorporate the generic authentication framework
from RFC 2617, without obsoleting or updating that specification's
definition of the Basic and Digest schemes." is part of the charter,
and the concern raised by Chirag Shah falls into that in that it's a
security concern if you have a resource that transcludes other re-
sources where one or more of them require authentication, you get a
popup, and aren't actually sure who is requesting the password.

I've run into this myself a couple of times, say on W3C pages where
the access control has been misconfigured, so you get, say, team-only
images on a member-only page, or member-only images on a public page,
or even attachments in the list archive referencing member-only things
on the main site, sometimes caused by W3C mirrors being out of sync
with the main site.

While we are not in the business of saying "If a HTML page does this,
then don't prompt the user for a password" or anything like that, it
is something we need to mention in the security considerations if we
include the "generic authentication framework", given how very common
resources transcluding other resources are in the context of HTTP.

(That could be as simple as reminding readers that such situations
may confuse users so interactive user agents need to pay special
attention to that.)
Björn Höhrmann · ·
Am Badedeich 7 · Telefon: +49(0)160/4415681 ·
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · 

Received on Thursday, 9 December 2010 02:13:33 UTC