Senthil <[EMAIL PROTECTED]> added the comment: 1) The section you refer to is 1.2 of RFC2617, which specifies the details on Access Authentication in General and not specific to url redirects. So, I don't think we should take it as a referece.
2) Under the section - 3.3 Digest Operation, the Authentication cases under redirection is provided like this. (search for keyword 'redirect') """ The client will retry the request, at which time the server might respond with a 301/302 redirection, pointing to the URI on the second server. The client will follow the redirection, and pass an Authorization header , including the <opaque> data... """ This basically states that Authorization header should be passed on the redirects in Digest authentication case and (should we assume in Basic Authentication case also?) If yes, then urllib2 is actually doing the same thing. Do you have a practical scenario where this has resulted in failure/ security loophole? ---------- nosy: +orsenthil _______________________________________ Python tracker <[EMAIL PROTECTED]> <http://bugs.python.org/issue3819> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
