- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Thu, 09 Dec 2010 03:12:51 +0100
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Chirag Shah <chiragshah1@gmail.com>, ietf-http-wg@w3.org
* Mark Nottingham wrote: >Changing how HTTP authentication works is explicitly out of scope for >this WG, although you will likely find people willing to discuss it >here. Well, "It will also incorporate the generic authentication framework from RFC 2617, without obsoleting or updating that specification's definition of the Basic and Digest schemes." is part of the charter, and the concern raised by Chirag Shah falls into that in that it's a security concern if you have a resource that transcludes other re- sources where one or more of them require authentication, you get a popup, and aren't actually sure who is requesting the password. I've run into this myself a couple of times, say on W3C pages where the access control has been misconfigured, so you get, say, team-only images on a member-only page, or member-only images on a public page, or even attachments in the list archive referencing member-only things on the main site, sometimes caused by W3C mirrors being out of sync with the main site. While we are not in the business of saying "If a HTML page does this, then don't prompt the user for a password" or anything like that, it is something we need to mention in the security considerations if we include the "generic authentication framework", given how very common resources transcluding other resources are in the context of HTTP. (That could be as simple as reminding readers that such situations may confuse users so interactive user agents need to pay special attention to that.) -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Thursday, 9 December 2010 02:13:33 UTC