Ticket #348: 348.diff

File 348.diff, 1.9 KB (added by julian.reschke@…, 7 years ago)

Proposed patch

  • p7-auth.xml

    341341<section title="Protection Space (Realm)" anchor="protection.space">
    342342  <iref item="Protection Space"/>
    343343  <iref item="Realm"/>
     344  <iref item="Canonical Root URI"/>
    345346   The authentication parameter realm is reserved for use by authentication
    346347   schemes that wish to indicate the scope of protection.
    803804   cached credentials under user control.
     808<section title="Protection Spaces" anchor="protection.spaces">
     810  Authentication schemes that solely rely on the "realm" mechanism for
     811  establishing a protection space will expose credentials to all resources on a
     812  server. Clients that have successfully made authenticated requests with a
     813  resource can use the same authentication credentials for other resources on
     814  the same server. This makes it possible for a different resource to harvest
     815  authentication credentials for other resources.
     818  This is of particular concern when a server hosts resources for multiple
     819  parties under the same canonical root URI (<xref target="protection.spaces"/>).
     820  Possible mitigation strategies include restricting direct access to
     821  authentication credentials (i.e., not making the content of the
     822  Authorization request header field available), and separating protection
     823  spaces by using a different host name for each party.
    808828<section title="Acknowledgments" anchor="acks">
    11271147  Closed issues:
    11281148  <list style="symbols">
    11291149    <t>
     1150      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/348"/>:
     1151      "Realms and scope"
     1152    </t>
     1153    <t>
    11301154      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/349"/>:
    11311155      "Strength"
    11321156    </t>