- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 11 Feb 2008 14:23:05 -0800
- To: Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>
Anne van Kesteren wrote: > > On Mon, 11 Feb 2008 21:44:49 +0100, Jonas Sicking <jonas@sicking.cc> wrote: >> The spec says in the security considerations section to not allow the >> user to specify auth credentials and cookies. I think we should add a >> note about redirects to ensure that bugs don't sneak in to >> implementations. The reason is that HTTP makes it possible to redirect >> to a URI like http://user:pass@example.com/foo >> >> So basically I think we should add a note pointing this out to avoid >> implementations forgetting about this. > > Maybe instead deal with this in the sections that deal with redirects? > Seems sensible to aplpy the "generic network error steps" whenever you > encounter this. Author provided credentials is something the hosting > specification has to deal with, but this can be handled in the Access > Control specification. Sounds good to me, but mention it in the security section too along with the other auth credentials comment. / Jonas
Received on Monday, 11 February 2008 22:25:26 UTC