Anne van Kesteren wrote:
On Mon, 11 Feb 2008 21:44:49 +0100, Jonas Sicking <[EMAIL PROTECTED]> wrote:
The spec says in the security considerations section to not allow the
user to specify auth credentials and cookies. I think we should add a
note about redirects to ensure that bugs don't sneak in to
implementations. The reason is that HTTP makes it possible to redirect
to a URI like http://user:[EMAIL PROTECTED]/foo
So basically I think we should add a note pointing this out to avoid
implementations forgetting about this.
Maybe instead deal with this in the sections that deal with redirects?
Seems sensible to aplpy the "generic network error steps" whenever you
encounter this. Author provided credentials is something the hosting
specification has to deal with, but this can be handled in the Access
Control specification.
Sounds good to me, but mention it in the security section too along with
the other auth credentials comment.
/ Jonas
