- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 25 Jul 2007 06:52:06 -0700
- To: Anne van Kesteren <annevk@opera.com>, Web APIs WG <public-webapi@w3.org>
Anne van Kesteren wrote: > On Mon, 23 Jul 2007 08:37:26 +0200, Jonas Sicking <jonas@sicking.cc> wrote: >> [...] >> >> So I think we should disallow this header since we're disallowing >> "Connection" as it might otherwise confuse proxies. > > Agreed. I have not added Proxy-Authorization as setting the > Authorization header is allowed as well. The part I'm worried about is that the Authorization header will be picked up by your (the authors) web sever. However Proxy-Authorization will be picked up by the proxy. Using this you can potentially launch a distributed brute-force password attack against a company proxy. This is why I'm in general thinking that disallowing Proxy-* might be a good idea. / Jonas
Received on Wednesday, 25 July 2007 13:52:50 UTC