[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: repeated requests for a file favicon.ico


I have been giving this issue some thoughts over the last hour, and I
think a see your point and agree with it. If the browser decides to
request a file, it is up to the browser to deal with it. 
However, there is still this little voice in my head telling me we are
about to breach the http protocol by ignoring a "auth required" messages
(or interpretting it as a 404/403 if you like). 
But hell, i dont like the fact that my browser is requesting files i
didnt ask for either. Maybe the favicon stuff should be a part of the
http-protocol and therefor we could also define that a "auth-required"
message on favicon should be interpreted as a 404. 

Regards, Jasper

-----Original Message-----
From: Matthew Palmer [mailto:mpalmer@debian.org]
Sent: woensdag 6 oktober 2004 14:10
To: debian-security@lists.debian.org
Subject: Re: repeated requests for a file favicon.ico

On Wed, Oct 06, 2004 at 12:22:47PM +0200, Jasper Filon wrote:
> I agree with you that maybe it would be better if the browser would
> interpret a authorisation request on a favicon.ico as a 404 (or 403)
> error, but on the other hand, the request for favicon isn't any
> from a normal http request. Maybe you could even say it is up to
apache to
> send the 403 rather than ask for authorisation. I think this could be
> interresting discussion.

I think it's up to the browser to realise that it's asking for something
which, quite honestly, the user probably has no knowledge of, and if it
an "Auth Required" back when it asks for the favicon it should go "oh
and give up, unless it already has authentication credentials for the
specified site and realm.  Making apache do it would complicate the
code unnecessarily, and really does seem to be putting the fix in the

- Matt

Reply to: