Re: [UMP] Proxy-Authorization

On Sat, Jan 9, 2010 at 10:50 AM, Adam Barth <w3c@adambarth.com> wrote:
> The UMP spec says:
>
> [[
> The user agent must not add any information obtained from: HTTP
> cookies, HTTP Auth headers, client certificates, or the referring
> resource, including its origin (other than the request parameters).
> ]]
>
> Does this include the Proxy-Authorization header?  If so, how can
> clients behind proxies that require authorization use web sites that
> depend on UMP?

Good catch. I've updated the text on sending a uniform request to
account for this proxy information. The new text is:

"""
3.2 Sending a Uniform Request

The content of a uniform request is determined solely by the provided
uniform request parameters, the user-agent's response cache and the
required structure of an HTTP request. If a user-agent is configured
to send the request via a proxy, instead of directly to the host
specified by the request URL, this proxy configuration information can
be used to send the request to the proxy. In this case, the request
sent by the user-agent is not a uniform request; however, the request
ultimately delivered to the resource host will be, since any
Proxy-Authorization request header is removed by the proxy before
forwarding the request to the resource host. Other than this proxy
information, the user-agent must not augment the sent request with any
data that identifies the user or the origin of the request. In
particular, the user-agent must not add any information obtained from:
HTTP cookies, HTTP Auth headers, client certificates, or the referring
resource, including its origin (other than the request parameters).
"""

See:
http://dev.w3.org/2006/waf/UMP/#request-sending

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Sunday, 10 January 2010 22:15:10 UTC