- From: Norman Walsh <ndw@nwalsh.com>
- Date: Thu, 05 Feb 2009 08:31:00 -0500
- To: XProc Dev <xproc-dev@w3.org>
- Message-ID: <m2ljsl6mej.fsf@nwalsh.com>
Florent Georges <fgeorges@fgeorges.org> writes: > In p:http-request, what's the intent of send-authorization? I > understand what the processor is supposed to do, but I would like > to know why it is helpful. If you know that you're using Basic authentication, then you can send the credentials first and avoid the "got a 401, retry with credentials" round trip. > Why not always send credentials on > the first request, when specified? I guess this is related to > security, to not send credentials without the user explicitly > requesting so? Credentials that you send on the first attempt are effectively clear text. (They're hashed, but I think it's reversible.) So you don't want to do that without the author explicitly requesting it. It's also pointless if you're using Digest authentication since you can't construct the correct credentials before the server sends you a nonce. Please let us know if this explanation is unsatisfactory. > BTW, the recent comments I raised about this step is because I > got inspired from it to design an equivalent feature for XSLT. I > thought it would be helpful to have same names for attributes, > etc. You can see it at: > > http://www.fgeorges.org/xslt/exslt2/http-client.html > > and discussions at: http://lists.fourthought.com/pipermail/exslt/. Cool. Be seeing you, norm -- Norman Walsh <ndw@nwalsh.com> | All our foes are mortal.--Paul Valéry http://nwalsh.com/ |
Received on Thursday, 5 February 2009 13:31:45 UTC