This core directive would be used to modify the processing of ap_add_common_vars() to pass through Authorization or Proxy-Authorization as HTTP_foo. (Nothing else is currently blocked, so any other header name wouldn't make sense.)
This directive would be configurable at the directory level, but not in htaccess. Various mods (mod_fastcgi, mod_fcgid, mod_wsgi, etc.) have ways to pass this information through; bug 56855 has a patch to add it to mod_proxy_fcgi too. With that patch in place, at least mod_proxy_scgi in our tree still couldn't front an app that wants to handle Basic auth. It would be good to consolidate over time the code/documentation around suppressing *Authorization. Some concerns: Processing it in ap_add_common_vars() is not finely scoped to natural users of the data; e.g., mod_include and mod_ext_filter would see it. At the same time, not allowing it in htaccess may negate its usefulness in some environments. Thoughts? -- Born in Roswell... married an alien... http://emptyhammock.com/
