- From: Mark Nottingham <mnot@mnot.net>
- Date: Thu, 22 Mar 2012 10:55:08 +1100
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Now <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/348>. On 16/03/2012, at 2:39 PM, Martin Thomson wrote: > There's an implicit acknowledgement that one resource does not know > about another (from p3): > > A cache cannot assume that a representation with a Content-Location > different from the URI used to retrieve it can be used to respond to > later requests on that Content-Location URI. > > However, the mechanism we use (and rely upon for performance) from p7 > makes no concessions on that point. A server that operates separate > fiefdoms by allocating different portions of path-space cannot prevent > one vassal state from learning the secrets of any other that uses > these authentication mechanisms we so love to hate. > > For instance, if "/kind/and/naive" is authenticated in the realm > "puppies", then "/kinda/shifty" can harvest their authentication > information if a logged in user agent navigates there. See "log out" > discussion for exacerbating stuff. User agents don't know (or care) > for this distinction. > > Of course, this is all pretty obvious, but is this worth acknowledging > in Section 6? > -- Mark Nottingham http://www.mnot.net/
Received on Wednesday, 21 March 2012 23:55:36 UTC