- From: Marc Salomon <marc@ckm.ucsf.edu>
- Date: Thu, 24 Oct 1996 12:58:33 -0700
- To: www-talk@w3.org
I ran into an interesting condition today and was wondering what people thought about what proper behavior should be. Assume that we have one machine known by a number of CNAMEs. Say that an application that lives somewhere in the heirarchy has been "protected" with BASIC authentication. www.foo.edu:/apps/thing and bar.foo.edu:/apps/thing refer to the same resource. For the point of illustration, assume that the people designing the application don't know of relative URL's or the BASE tag, and they hard-wire an absolute URL into the application. The user fires up the application by pointing their browser to www.foo.edu:/apps/thing, authenticates and is granted authorization to proceed. An embedded link somewhere in the application points to bar.foo.edu:/apps/thing. When the user dereferences this link, should the browser prompt to authenticate again, or should the it create an equivalence class for this IP address containing of the CNAMES of which the browser is aware and send the authentication data to the server? In HTTP/1.0? In HTTP/1.1 where the mandatory Host header forces disambiguity? -marc --
Received on Thursday, 24 October 1996 15:57:04 UTC