Anne van Kesteren wrote:
On Mon, 23 Jul 2007 08:37:26 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote:
[...]
So I think we should disallow this header since we're disallowing
"Connection" as it might otherwise confuse proxies.
Agreed. I have not added Proxy-Authorization as setting the
Authorization header is allowed as well.
The part I'm worried about is that the Authorization header will be
picked up by your (the authors) web sever. However Proxy-Authorization
will be picked up by the proxy. Using this you can potentially launch a
distributed brute-force password attack against a company proxy. This is
why I'm in general thinking that disallowing Proxy-* might be a good idea.
/ Jonas
