- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Tue, 23 May 2006 20:42:35 +0200
- To: Lisa Dusseault <lisa@osafoundation.org>
- CC: WebDav WG <w3c-dist-auth@w3.org>
Lisa Dusseault schrieb: >> The username (optionally) is sent in the content from server to client >> (see >> <http://greenbytes.de/tech/webdav/draft-reschke-webdav-mount-04.html#ELEMENT_username>). >> In general, this is the user name that was used to authenticate to the >> Web site in the first place, so I'm not sure why sending it back to >> the client is any kind of security risk? > > It's not obvious at all to me that the username I use to download the > mount document is the same one my client used to authenticate to get the > document. That implies that the document is dynamically generated, > always. That makes it harder to deploy in some cases. Well, it depends on the use case. In general, I would expect it to be either dynamically generated, or not to have the username in it. >> I'm not sure what kind of information you're referring to here. Please >> be more specific... > > Given my assumption that the username could be the one the client is > using or some *other* username, there is at least a possibility of > information leaking here. As there is with any other document type. I'm not sure where the security risk is here. That somebody can find out about usernames? These things also show up in lock properties, ACL properties, HTML content, whatnot... Best regards, Julian
Received on Tuesday, 23 May 2006 18:42:44 UTC