Specifying auth credentials and access-control

Hi Folks,

The spec says in the security considerations section to not allow the 
user to specify auth credentials and cookies. I think we should add a 
note about redirects to ensure that bugs don't sneak in to 
implementations. The reason is that HTTP makes it possible to redirect 
to a URI like    http://user:pass@example.com/foo

So basically I think we should add a note pointing this out to avoid 
implementations forgetting about this.

/ Jonas

Received on Monday, 11 February 2008 20:47:03 UTC