> I have had more time to review this patch. -1. This has some serious
> implications for how we serve content. Take the following example:
Ryan, the whole reason for having the hook is to bypass those checks.
It is very common to have a server feature wherein the webmaster
specifically allocates some set of URLs that they know will never
need authentication. The server is still secure because it is an
opt-in approach -- these URLs must be specifically allocated in
order for them to be cachable and thereby able to be served in this
fashion.
You simply cannot say that this approach is any less secure than having
a hook for adding protocols. After all, the admin could just as easily
configure the server to bypass ALL of the request hooks. Jut because
the hook is there doesn't mean it will be used in insecure ways.
....Roy
