On 2016-04-18 7:59 AM, Richard Barnes wrote:
Could we just disable HTTP auth for connections not protected with TLS? At least Basic auth is manifestly insecure over an insecure transport. I don't have any usage statistics, but I suspect it's pretty low compared to form-based auth.
I also don't have data but I suspect that would break a lot of intranet sites where I believe HTTP auth is more common. I think we need to be even more careful about compat issues like this since it totally prevents you from accessing the service instead of having a somewhat broken experience. It seems like something we would want to announce far in advance and I suspect there will still be too many affected sites even with a years notice. Starting with warnings could help to reduce the compat issue down the road if we decide to stop support as not everyone will here about our deprecation plans.
Matthew _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
