- From: Gerald Oskoboiny <gerald@w3.org>
- Date: Wed, 5 Sep 2001 00:49:47 -0400
- To: Samuel Rinnetmäki <samuel.rinnetmaki@tothepoint.fi>
- Cc: www-validator@w3.org
On Mon, Sep 03, 2001 at 02:08:54PM +0300, Samuel Rinnetmäki wrote: : > If I use the Validator to validate a document on a server (A) which > requires authentication, Validator asks for the credentials. If I then try > and validate another document on another server (B), my browser sends the > same credentials to the Validator and the validator forwards them to the > server (B). Thus the server B receives the authorization headers that > were required by a document on the server (A). The authorization header > is sent even if the document on the server (B) doesn't require > authentication. Thanks for the clear report; we'll try to get this fixed ASAP. I think this would be fairly difficult for someone to exploit, for the reason Nick pointed out (the obscurity of server A.) However, we should certainly get it fixed anyway. -- Gerald Oskoboiny http://www.w3.org/People/Gerald/ World Wide Web Consortium (W3C) http://www.w3.org/ tel:+1-613-261-6630 mailto:gerald@w3.org
Received on Wednesday, 5 September 2001 00:50:19 UTC