Message72871
when you request a url that requests Basic authentication info
HTTPBasicAuthHandler adds the Authorization header to the request as a
normal (not unredirected) header, then if the server returns a 301 or
302 redirect HTTPRedirectHandler will send a request to the redirected
address keeping the normal headers including the Authorization header
HTTPBasicAuthHandler added, I'll attach the code I used to test this.
GET from libwww-perl seems to do this but most browsers don't seem to
by default and although I can't find much in the RFCs about how
redirecting is supposed to work wrt. auth headers (feel free to point
out sections if I'm blind) I think it breaks
ftp://ftp.isi.edu/in-notes/rfc2617.txt somewhat (section 1.1,
"""
The protection space determines the domain over which credentials can
be automatically applied. If a prior request has been authorized, the
same credentials MAY be reused for all other requests within that
protection space for a period of time determined by the
authentication scheme, parameters, and/or user preference. Unless
otherwise defined by the authentication scheme, a single protection
space cannot extend outside the scope of its server.
""") since redirects can point to arbitrary urls off of the server.
as in bug #1480067 just adding the header as an unredirected header
would stop the header being sent across redirects if that's indeed the
proper behaviour. |
|
Date |
User |
Action |
Args |
2008-09-09 15:12:44 | TFKyle | set | recipients:
+ TFKyle |
2008-09-09 15:12:44 | TFKyle | set | messageid: <1220973164.56.0.503421072226.issue3819@psf.upfronthosting.co.za> |
2008-09-09 15:12:43 | TFKyle | link | issue3819 messages |
2008-09-09 15:12:42 | TFKyle | create | |
|