- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 11 Feb 2008 21:56:00 +0100
- To: "Jonas Sicking" <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
On Mon, 11 Feb 2008 21:44:49 +0100, Jonas Sicking <jonas@sicking.cc> wrote: > The spec says in the security considerations section to not allow the > user to specify auth credentials and cookies. I think we should add a > note about redirects to ensure that bugs don't sneak in to > implementations. The reason is that HTTP makes it possible to redirect > to a URI like http://user:pass@example.com/foo > > So basically I think we should add a note pointing this out to avoid > implementations forgetting about this. Maybe instead deal with this in the sections that deal with redirects? Seems sensible to aplpy the "generic network error steps" whenever you encounter this. Author provided credentials is something the hosting specification has to deal with, but this can be handled in the Access Control specification. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Monday, 11 February 2008 20:52:13 UTC