Proposal: "User" header field

I would be nice to be able to identify a user in HTTP, especially with
read/write protocols and access control, it can be important to know who is
trying to change something.

There has been some discussion on whether the "From" header can be used to
identify a user in HTTP, and my from most people is that this would be a
good candidate to send a user, but for historical reasons it's limited to
email, and changing this would perhaps get some pushback from the IETF.

The suggestion has been to choose another header, so I thought that "User"
might be a good candidate, since we have User Agent arleady.

Here's the proposed text:

[[
User

The User request-header field, if given, SHOULD contain an identifier for
the human user who controls the requesting user agent. The address SHOULD
be machine-usable, as defined by the "URI General Syntax" RFC 3986

       User   = "User" ":" URI

 An example is:

       User: http://www.w3.org/People/Berners-Lee/card#i

 This header field MAY be used for logging purposes and as a means for
identifying the source of invalid or unwanted requests. It SHOULD NOT be
used as an insecure form of access protection. The interpretation of this
field is that the request is being performed on behalf of the person given,
who accepts responsibility for the method performed. In particular, robot
agents SHOULD include this header so that the person responsible for
running the robot can be contacted if problems occur on the receiving end.

 The client SHOULD NOT send the User header field without the user's
approval, as it might conflict with the user's privacy interests or their
site's security policy. It is strongly recommended that the user be able to
disable, enable, and modify the value of this field at any time prior to a
request.

]]

Feedback welcome!

Received on Saturday, 13 July 2013 14:55:36 UTC