[Openid-specs-fapi] Alive and kicking: draft-cavage-http-signatures
anders.rundgren.net at gmail.com
Thu Mar 14 09:50:59 UTC 2019
On 2019-03-14 10:17, Philippe Leothaud via Openid-specs-fapi wrote:
> Hi Dave,
> there is alo this one :
> "If there are multiple instances of the same header field, all header field values associated with the header field MUST be concatenated, separated by a ASCII comma and an ASCII space `, `, and used in the order in which they will appear in the transmitted HTTP message"
> This is a real problem cause as soon as you go through a proxy/reverse proxy the order is not guaranteed...
> One example is if you want to sign the Set-Cookie header ;-)
My 00 draft reads:
"For interoperability reasons it is RECOMMENDED to not use duplicate
header names for headers that are to be signed"
I just removed this paragraph. Do you think I should restore it?
AWS do not seem to have a solution either:
More information about the Openid-specs-fapi