Hi Folks,
The spec says in the security considerations section to not allow the
user to specify auth credentials and cookies. I think we should add a
note about redirects to ensure that bugs don't sneak in to
implementations. The reason is that HTTP makes it possible to redirect
to a URI like http://user:[EMAIL PROTECTED]/foo
So basically I think we should add a note pointing this out to avoid
implementations forgetting about this.
/ Jonas
- Specifying auth credentials and access-control Jonas Sicking
-
