On Tuesday 07 February 2006 12:28, Phillip J. Eby wrote: > * Add an optional 'wsgi.response_filtering' key to the spec. If its value > is present and true, the server promises to prevent 'X-Internal-*' headers > from being transmitted. > > * Add an optional 'X-Internal-WSGI-Authenticated-User' header to the spec, > that indicates the authenticated user name. This should only be inserted > into the response headers if 'wsgi.response_filtering' is in effect. > > * Require that any user-defined X-Internal headers include a product name, > e.g. 'X-Internal-Zope-Foo', to avoid conflict with WSGI-defined or other > products' user-defined headers. > > This would all be placed under a new section entitled "Internal Response > Headers" and defined as an optional extension. > > Any thoughts?
This sounds really good! Thanks for the great summary and suggestions. As far as I can tell it solves all of our use cases and addresses our security concerns; i.e. not sending the username to the client. Regards, Stephan -- Stephan Richter CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student) Web2k - Web Software Design, Development and Training _______________________________________________ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com