- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Tue, 05 Jun 2012 21:33:14 +0200
- To: HTTP Working Group <ietf-http-wg@w3.org>
- CC: David Morris <dwm@xpasc.com>
On 2012-06-05 02:16, David Morris wrote: > ... > This took a few days to set up a careful test case. I don't have the time > or resources to test every client, so I can't refute the claim that some > clients send the authorization header for a part of the hosts content > which it doesn't apply to, but I've tested: What's the definition of "doesn't apply to"? > IE6, IE7, IE8 and Safari (5.1.5 on MacOS 10.7). None of these clients > sent sent the authorization header contrary to my assertion above. > > Any wording in the RFC should make it clear that sending the > credentials for the parent of 'a' or for 'b' is incorrect but > may happen with broken clients. > > I created the following structure on my test apache server: > > a: /authab/index.html > b: /authab/a/index.html ... configured to require credentials > c: /authab/b/index.html > > This each was a simple html page with links to the other two pages > and a javascript onClick handler which added a unique query string > to each request to avoid browser caching. > > > With tcpdump on the server to capture all port 80 traffic. > I entered url a: in each browser's address box. Navigated to c: and > from there to b: and then back to a: and finally back to c: > > In each case, the browser requested credentials on the first request > for b:. > > I then examined the resulting tcpdump file and confirmed that the > authorization header was not ever included on requests for a: or c:. > > I'm willing to share my server with anyone who would like to test > with other clients, but I don't want the name posted on this > mailing list. Send me a private email for the info. Thanks for setting this up. This definitively requires research. In the meantime: what do we do with the ticket? Best regards, Julian
Received on Tuesday, 5 June 2012 19:33:51 UTC