Re: [UMP] Proxy-Authorization

On Sun, Jan 10, 2010 at 2:25 PM, Adam Barth <w3c@adambarth.com> wrote:
> I don't quite understand this part of that text:
>
> [[
> In this case, the request
> sent by the user-agent is not a uniform request; however, the request
> ultimately delivered to the resource host will be, since any
> Proxy-Authorization request header is removed by the proxy before
> forwarding the request to the resource host.
> ]]
>
> Concretely, suppose:
>
> 1) The user has authenticated to a proxy P using the
> Proxy-Authenticate / Proxy-Authentication protocol.
> 2) The user visits web site A which uses the UniformRequest API to
> generate a request R to web site B.
> 3) Based on that text, it sounds like R is delivered to P with the
> Proxy-Authentication information intact.  Presumably the proxy will
> forward the request to B.
> 4) B responds with "Access-Control-Allow-Origin: *".
>
> Now, is B's response delivered to A?

Yes, assuming that user-agent is configured to use that proxy server.
Note that the request forwarded to B does *not* have a
Proxy-Authorization header.

> More abstractly, why aren't we worrying about P misbehaving based on
> the ambient authority in R (i.e., the Proxy-Authentication
> information)?  Why do the security considerations for the
> Proxy-Authorization header differ from the security considerations for
> the Authorization header?

The resource host decides whether or not to accept a request, what
side-effects are caused, and what information is put in the response.
We want to prevent ambient authority from having an effect on these
decisions by the resource host. The proxy is presumably semantically
transparent and so has no impact on these decisions by the resource
host. For https: resources, this transparency is cryptographically
enforced by the SSL protocol, which tunnels the connection through the
proxy.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Monday, 11 January 2010 20:41:08 UTC