Re: [hybi] Authentication headers
Wellington Fernando de Macedo <wfernandom2004@gmail.com> Thu, 22 July 2010 00:07 UTC
Return-Path: <wfernandom2004@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B30923A68F0 for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 17:07:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id imA8ABb-qr2F for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 17:07:32 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id 384803A6840 for <hybi@ietf.org>; Wed, 21 Jul 2010 17:07:32 -0700 (PDT)
Received: by qwe5 with SMTP id 5so3126366qwe.31 for <hybi@ietf.org>; Wed, 21 Jul 2010 17:07:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=kkv2f07O5n/NrgICIVx2T8INEoM87jxxXOSjfVKr8iQ=; b=MrraNNcJsdrhRNFNG9FKfrvj0MLuCxiu1Yfj35Dz2R0E7PbqC3UPAZBSb48UO3LhKU HUTpqYXroggiZGP3l0j53nLkUq/06L47KIeHG1R7LINSIxF6Hbm2b+1jC/U3Q8KVz1cW 6vcSuPbyBWDX4OC0XEZciN2ykVrmEuKZbq0z8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=yDTnDmGAmSVqhRGrVYJaV8pCrSnoZBLfk2IjVekcKCYPCqTmhgpun+WH8WfLnN5H6O s3e8HOJu8MDAxLI0vITyHrDTOX2sDLyubHV2Xrcnl2aa84KG/UqNXOG7FFHXT0cR/9FV 6tHs8kJ1MUXfPnUnrBqbI9wPCC6jGC8pcJ2Dg=
MIME-Version: 1.0
Received: by 10.224.79.151 with SMTP id p23mr718301qak.312.1279757268756; Wed, 21 Jul 2010 17:07:48 -0700 (PDT)
Received: by 10.229.55.10 with HTTP; Wed, 21 Jul 2010 17:07:48 -0700 (PDT)
In-Reply-To: <AANLkTinMjVTaAf3F9HShN2zTfSMNnH-apirBjtR_22sF@mail.gmail.com>
References: <AANLkTimo9g4Tvzd1RekVXKtTpOhRz58jr7VLqhS-Wrdf@mail.gmail.com> <Pine.LNX.4.64.1007210653190.7242@ps20323.dreamhostps.com> <AANLkTinMjVTaAf3F9HShN2zTfSMNnH-apirBjtR_22sF@mail.gmail.com>
Date: Wed, 21 Jul 2010 21:07:48 -0300
Message-ID: <AANLkTil1Y2HtE6yophn8uNznJTPAFNx_jiKlIqPt6p-z@mail.gmail.com>
From: Wellington Fernando de Macedo <wfernandom2004@gmail.com>
To: Ian Hickson <ian@hixie.ch>
Content-Type: multipart/alternative; boundary="00c09f9c974d672e8e048beeb5e8"
Cc: hybi@ietf.org
Subject: Re: [hybi] Authentication headers
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jul 2010 00:07:33 -0000
> Also, it isn't true. Again, all available Mozilla's http authentication (like digest) work with websocket. Well, I said something wrong... Actually digest with websockets just works when connecting to the proxy. Sorry. 2010/7/21 Wellington Fernando de Macedo <wfernandom2004@gmail.com> > > For example, the only authentication scheme that would work and be secure > is Basic auth > > over TLS to the same host as served the HTML page. > > Also, it isn't true. Again, all available Mozilla's http authentication > (like digest) work with websocket. > > 2010/7/21 Ian Hickson <ian@hixie.ch> > > On Mon, 7 Jun 2010, Wellington Fernando de Macedo wrote: >> > >> > I'm updating the Mozilla's implementation of the WS protocol to its >> > latest version (v.76). I know that handling the 401 http response was >> > already removed in the v75. But now I've noted that even the http >> > Authorization header has been removed. >> > >> > Well, I think that the 401 http status was removed in order to prevent >> > the browser to open unexpected auth dialogs to the user. Actually, I >> > know there is the cookie information, but I think it isn't always >> > enough. So, I would like to ask, why can't a "normal" request include >> > the Authorization header from its page origin? >> >> There's some commented-out text to that effect, but frankly it's not clear >> to me that it would be particularly useful in practice. For example, the >> only authentication scheme that would work and be secure is Basic auth >> over TLS to the same host as served the HTML page. In practice, only very >> few sites use that combination of technologies; the cost of supporting it >> seems higher than the benefit gained from it. It also seems unreliable; it >> relies on the browser remembering the credentials used when loading the >> Web page, for instance. There are also a number of situations where it >> would seem that it should work but where it won't, for example if a page >> on one path uses pushState() to go to another path and then opens a >> WebSocket connection to the same host with the second path, the UA would >> not know the realm of the second path and thus wouldn't know to include >> the authentication information. >> >> Basically, it seemed hacky. I couldn't really find a compelling argument >> to support this rather than having it at the application layer. (You can >> still leverage the basic auth feature that way, just have the server send >> back a unique token that identifies the user's session and then pass that >> back on the WebSocket connection.) Cookies are supported because they are >> _very_ widely used, so there's something to reuse. HTTP auth is used so >> rarely that I'd seriously consider dropping it from HTTP at this point; I >> really don't think it's worth adding to WebSockets. >> >> -- >> Ian Hickson U+1047E )\._.,--....,'``. fL >> http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. >> Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.' >> > >
- [hybi] Authentication headers Wellington Fernando de Macedo
- Re: [hybi] Authentication headers Wellington Fernando de Macedo
- Re: [hybi] Authentication headers Ian Hickson
- Re: [hybi] Authentication headers Daniel Stenberg
- Re: [hybi] Authentication headers Greg Wilkins
- Re: [hybi] Authentication headers Wellington Fernando de Macedo
- Re: [hybi] Authentication headers Wellington Fernando de Macedo
- Re: [hybi] Authentication headers Wellington Fernando de Macedo
- Re: [hybi] Authentication headers Greg Wilkins