Return HTTP Vary header
Bug #913895 reported by
Dolph Mathews
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Wishlist
|
Dolph Mathews |
Bug Description
A Vary header should be returned with all authenticated responses to allow HTTP caches to differentiate between authenticated requests.
See "14.44 Vary": http://
Request:
GET /tenants
X-Auth-Token: 12345
Response:
Vary: X-Auth-Token
{ /* tenants specific to token 12345 */ }
Changed in keystone: | |
importance: | High → Wishlist |
visibility: | private → public |
security vulnerability: | yes → no |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | essex-3 → 2012.1 |
To post a comment you must log in.
@Dolph: trying to assess impact. Could you explain how this could be abused ? If this is serious, we might want to coordinate disclosure rather than just push the fix.