On Sep 22, 9:44 am, "Marc-Antoine Ruel" <[EMAIL PROTECTED]> wrote:
> I can't confirm your analysis, but I just want to give you some background > info; > I can't explain why you can't confirm. I think I provided enough info and repeatability information, here and in the bug list, including a http://beta.winserver.com test site. I can provide at least few hundred more web site if I knew which ones had HTTP BASIC/DIGEST enabled off hand. Also, googling the proper keywords you will find there other were others encountering the problem. In fact, this one was very recent: http://www.gossamer-threads.com/lists/python/bugs/680623 > We are departing from WinHTTP. Ironically I was going to propose to replace the winhttp interface. But that isn't the problem because Chrome takes control of redirection (incorrectly) which is the root of the RFC 2617 "going against the spec" A.K.A "violation" in Chrome (see below). So replacing the http stack is not going to solve this if it does not address the redirection logic. > New authentication digests will be implemented in the new stack. Although I can understand why Chrome wanted to use WinHTTP for these features, keep in mind, it has really nothing to do with basic/digest per se, It is the redirection logic that is flawed. You might want to take a look at TrollTech's QTWebKit implementation of WebKit with its QtAuthenticator and Networking/caching logic. What Chrome needs here is to couple the following design points during a redirection: By default and per RFC 2617 recommendations: - Passing Authorization header to the same domain relocation (not cross domains). For security enhancements: - Utilize a "short time window" difference between the redirection and original referer, - Make sure referer is authorized before authorizing the redirection. > This will take some time. I don't see why it has to take a long time to address the more immediate issue of fixing the redirection. The WinHTTP stack or rolling your own, isn't going to solve it unless it has the same redirection solution. The solution for now is to add a HttpKeyByDomain() function lookup. The current lookup HttpKey() is by domain/realm. Once you have the HttpKeyByDomain(), then its an easy solution. -- --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Chromium-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/chromium-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
