W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

WGLC #348: Realms and scope

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 31 May 2012 22:09:52 +1000
Message-Id: <A53C13F5-CA27-4930-9DB2-AD253E911842@mnot.net>
To: HTTP Working Group <ietf-http-wg@w3.org>

Proposal - 

New section in p7 Security Considerations:

6.2 Protection Spaces

Authentication schemes that use the "realm" mechanism for establishing a protection space will expose credentials to all resources on a server. This makes it possible for a resource to harvest authentication credentials for other resources on the same server.

This is of particular concern when a servers hosts resources for multiple parties. Possible mitigation strategies include restricting direct access to authentication credentials (i.e., not making the content of the Authorization request header available), and separating protection spaces by using a different hostname for each party.

Mark Nottingham   http://www.mnot.net/
Received on Thursday, 31 May 2012 12:10:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:00 UTC