- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Mon, 29 Jul 2013 15:30:53 +0200
- To: Mark Nottingham <mnot@mnot.net>
- CC: "Roy T. Fielding" <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 2013-07-29 14:31, Mark Nottingham wrote: > The conclusion of the conversation was Roy's statement: > >> No, I am just saying that Connection is not required; if it is not >> included in Connection, then the intention is that it be forwarded >> until consumed. OTOH, if it is included in Connection, then it >> will be consumed or deleted by the immediate recipient. AFAIK, >> these fields are not normally included in Connection, but there >> might be a good reason to if the proxy selection is complicated. > > Which seems reasonable and no one has objected. However, p7 still says: > >> Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to the current connection, and intermediaries should not forward it to downstream clients. However, an intermediate proxy might need to obtain its own credentials by requesting them from the downstream client, which in some circumstances will appear as if the proxy is forwarding the Proxy-Authenticate header field. Out of curiosity: why does the "SHOULD NOT" show up as "should not"? > … with similar text for Proxy-Authorization. The "SHOULD NOT forward…" requirement is in conflict with the sentiment expressed above. > > I've changed the target to p7. OK. So maybe change "Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to the current connection, and intermediaries SHOULD NOT forward it to downstream clients." to "Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to the current connection, and *proxies* SHOULD NOT forward it to downstream clients." This would allow non-proxy intermediaries to forward it. Best regards, Julian
Received on Monday, 29 July 2013 13:31:23 UTC