- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 11 Feb 2008 12:44:49 -0800
- To: "WAF WG (public)" <public-appformats@w3.org>
Hi Folks, The spec says in the security considerations section to not allow the user to specify auth credentials and cookies. I think we should add a note about redirects to ensure that bugs don't sneak in to implementations. The reason is that HTTP makes it possible to redirect to a URI like http://user:pass@example.com/foo So basically I think we should add a note pointing this out to avoid implementations forgetting about this. / Jonas
Received on Monday, 11 February 2008 20:47:03 UTC