- From: Tyler Close <tyler.close@gmail.com>
- Date: Sun, 10 Jan 2010 14:14:37 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: public-webapps <public-webapps@w3.org>
On Sat, Jan 9, 2010 at 10:50 AM, Adam Barth <w3c@adambarth.com> wrote: > The UMP spec says: > > [[ > The user agent must not add any information obtained from: HTTP > cookies, HTTP Auth headers, client certificates, or the referring > resource, including its origin (other than the request parameters). > ]] > > Does this include the Proxy-Authorization header? If so, how can > clients behind proxies that require authorization use web sites that > depend on UMP? Good catch. I've updated the text on sending a uniform request to account for this proxy information. The new text is: """ 3.2 Sending a Uniform Request The content of a uniform request is determined solely by the provided uniform request parameters, the user-agent's response cache and the required structure of an HTTP request. If a user-agent is configured to send the request via a proxy, instead of directly to the host specified by the request URL, this proxy configuration information can be used to send the request to the proxy. In this case, the request sent by the user-agent is not a uniform request; however, the request ultimately delivered to the resource host will be, since any Proxy-Authorization request header is removed by the proxy before forwarding the request to the resource host. Other than this proxy information, the user-agent must not augment the sent request with any data that identifies the user or the origin of the request. In particular, the user-agent must not add any information obtained from: HTTP cookies, HTTP Auth headers, client certificates, or the referring resource, including its origin (other than the request parameters). """ See: http://dev.w3.org/2006/waf/UMP/#request-sending --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Sunday, 10 January 2010 22:15:10 UTC