- From: Adam Barth <w3c@adambarth.com>
- Date: Sun, 10 Jan 2010 14:25:28 -0800
- To: Tyler Close <tyler.close@gmail.com>
- Cc: public-webapps <public-webapps@w3.org>
I don't quite understand this part of that text: [[ In this case, the request sent by the user-agent is not a uniform request; however, the request ultimately delivered to the resource host will be, since any Proxy-Authorization request header is removed by the proxy before forwarding the request to the resource host. ]] Concretely, suppose: 1) The user has authenticated to a proxy P using the Proxy-Authenticate / Proxy-Authentication protocol. 2) The user visits web site A which uses the UniformRequest API to generate a request R to web site B. 3) Based on that text, it sounds like R is delivered to P with the Proxy-Authentication information intact. Presumably the proxy will forward the request to B. 4) B responds with "Access-Control-Allow-Origin: *". Now, is B's response delivered to A? More abstractly, why aren't we worrying about P misbehaving based on the ambient authority in R (i.e., the Proxy-Authentication information)? Why do the security considerations for the Proxy-Authorization header differ from the security considerations for the Authorization header? Adam On Sun, Jan 10, 2010 at 2:14 PM, Tyler Close <tyler.close@gmail.com> wrote: > On Sat, Jan 9, 2010 at 10:50 AM, Adam Barth <w3c@adambarth.com> wrote: >> The UMP spec says: >> >> [[ >> The user agent must not add any information obtained from: HTTP >> cookies, HTTP Auth headers, client certificates, or the referring >> resource, including its origin (other than the request parameters). >> ]] >> >> Does this include the Proxy-Authorization header? If so, how can >> clients behind proxies that require authorization use web sites that >> depend on UMP? > > Good catch. I've updated the text on sending a uniform request to > account for this proxy information. The new text is: > > """ > 3.2 Sending a Uniform Request > > The content of a uniform request is determined solely by the provided > uniform request parameters, the user-agent's response cache and the > required structure of an HTTP request. If a user-agent is configured > to send the request via a proxy, instead of directly to the host > specified by the request URL, this proxy configuration information can > be used to send the request to the proxy. In this case, the request > sent by the user-agent is not a uniform request; however, the request > ultimately delivered to the resource host will be, since any > Proxy-Authorization request header is removed by the proxy before > forwarding the request to the resource host. Other than this proxy > information, the user-agent must not augment the sent request with any > data that identifies the user or the origin of the request. In > particular, the user-agent must not add any information obtained from: > HTTP cookies, HTTP Auth headers, client certificates, or the referring > resource, including its origin (other than the request parameters). > """ > > See: > http://dev.w3.org/2006/waf/UMP/#request-sending > > --Tyler > > -- > "Waterken News: Capability security on the Web" > http://waterken.sourceforge.net/recent.html >
Received on Sunday, 10 January 2010 22:26:20 UTC