On 2/22/2013 5:41 PM, Brian Smith wrote: > bernhardr...@gmail.com wrote: >> i'm willing to fix >> https://bugzilla.mozilla.org/show_bug.cgi?id=836602 >> >> Summary: The rest api should not send cookies and thus now uses the >> LOAD_ANONYMOUS flag. But this flag also denies (client side) >> authentication like my custom firefox sync requires. >> therefore firefox sync is broken for me since >= F18. > Which modes of authentication does the Sync team wish to support in the > product? > > Currently it supports and requires (I think) HTTP authentication without > cookies and without SSL client certificates. > > The proposal (I think) is to support SSL client certificates with HTTP > authentication. But, if you area already doing SSL client authentication then > do you really need HTTP authentication too? Should that mode of operation be, > instead, SSL client authentication without HTTP authentication and without > cookies? > > How would the Sync client decide whether to use SSL client certificates or > HTTP authentication? Would there be some new UI? > > I am willing to help with things (e.g. reviewing the tests) but it is up to > the Sync team to decide on the prioritization of the work and decide what the > testing requirements are. IMO, writing tests for this will be difficult as > there's no framework for SSL client cert testing.
We'd likely change Sync to statically use LOAD_NOCOOKIES. The important consideration is for cookies to not automatically "creep" into requests because we don't want to leak details to the Sync server from other parts of the domain (Mozilla's Sync servers would be receiving cookies for mozilla.com!). Sync never uses cookies, so it shouldn't be a problem to blanket disable them. Honestly, Sync should probably offer an API that allows modification of outgoing HTTP requests for non-standard setups. But, that doesn't solve the problem that there are legitimate use cases beyond Sync that want finer control than what LOAD_ANONYMOUS currently provides. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
