Message319880
| Author |
artem.smotrakov |
| Recipients |
Ivan.Pozdeev, alex, artem.smotrakov, jwilk, orsenthil |
| Date |
2018年06月18日.13:04:05 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<1529327045.13.0.56676864532.issue33661@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
If I am not missing something, section 6.4 of RFC 7231 doesn't explicitly discuss that all headers should be sent. I wish it did :)
I think that an Authorization header for host A may make sense for host B if both A and B use the same database with user credentials. I am not sure that modern authentication mechanisms like OAuth rely on this fact (although I need to check the specs to make sure).
Sending a Cookie header to a different domain looks like a violation of the same-origin policy to me. RFC 6265 says something about it
https://tools.ietf.org/html/rfc6265#section-5.4
curl was recently updated to filter out Authorization headers in case of a redirect to another host. Chrome and Firefox don't sent either Authorization or Cookie headers while handling a redirect. It doesn't seem to be a disaster for them :) |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2018年06月18日 13:04:05 | artem.smotrakov | set | recipients:
+ artem.smotrakov, orsenthil, jwilk, alex, Ivan.Pozdeev |
| 2018年06月18日 13:04:05 | artem.smotrakov | set | messageid: <1529327045.13.0.56676864532.issue33661@psf.upfronthosting.co.za> |
| 2018年06月18日 13:04:05 | artem.smotrakov | link | issue33661 messages |
| 2018年06月18日 13:04:05 | artem.smotrakov | create |
|