- From: mozer <xmlizer@gmail.com>
- Date: Thu, 5 Feb 2009 16:37:17 +0100
- To: Norman Walsh <ndw@nwalsh.com>
- Cc: XProc Dev <xproc-dev@w3.org>
- Message-ID: <21d9ade60902050737i3040378bq143bbafe5f49a7f6@mail.gmail.com>
On Thu, Feb 5, 2009 at 2:31 PM, Norman Walsh <ndw@nwalsh.com> wrote: > Florent Georges <fgeorges@fgeorges.org> writes: > > In p:http-request, what's the intent of send-authorization? I > > understand what the processor is supposed to do, but I would like > > to know why it is helpful. > > If you know that you're using Basic authentication, then you can send > the credentials first and avoid the "got a 401, retry with > credentials" round trip. > > > Why not always send credentials on > > the first request, when specified? I guess this is related to > > security, to not send credentials without the user explicitly > > requesting so? > > Credentials that you send on the first attempt are effectively clear > text. (They're hashed, but I think it's reversible.) Well small fix here : hashing is not reversible ; but using the hashed value you can reproduce the logging which is definitely a security issue > So you don't > want to do that without the author explicitly requesting it. > > It's also pointless if you're using Digest authentication since you > can't construct the correct credentials before the server sends you a > nonce. > > Please let us know if this explanation is unsatisfactory. > > > BTW, the recent comments I raised about this step is because I > > got inspired from it to design an equivalent feature for XSLT. I > > thought it would be helpful to have same names for attributes, > > etc. You can see it at: > > > > http://www.fgeorges.org/xslt/exslt2/http-client.html > > > > and discussions at: http://lists.fourthought.com/pipermail/exslt/. > > Cool. > > Be seeing you, > norm > > -- > Norman Walsh <ndw@nwalsh.com> | All our foes are mortal.--Paul Valéry > http://nwalsh.com/ | >
Received on Thursday, 5 February 2009 15:39:26 UTC