> On 05/13/2012 06:07 PM, SM wrote:
> > As a starting point, here's some suggested text for Section 8.2:
> > In recent years, there has been growing concerns about privacy. There
> > is a
> > tradeoff between ensuring privacy for users versus disclosing information
> > which is useful for debugging. The Forwarded HTTP header field, by
> > design,
> > exposes information which affects the privacy of users. This header
> > field
> > should not be used if the proxy is being operated as a privacy service.
> - Is "privacy service" well-defined? (Or well enough defined?)
Maybe we can write something like "if the proxy is intended to
anonymize the user" ?
> - In general, is a user supposed to know that headers like this
> are being added? If so, how? If not, doesn't that have privacy
> implications as well?
There are lots, and lots of different proxy types and the users needs
special education for each of them. However, this can not be done in
> - Section 5.4 is also odd: when would we want a proxy to make it
> look to the UA that stuff the proxy got unprotected was protected?
It is not uncommon that you have a reverse proxy that do SSL-offload.
This should be of no concern for the user.
> - I also wondered how widely the X-Forwarded stuff is deployed and
> generally whether its really a good or bad idea to standardise
> this. I can't tell from (the quick read I had of) the document.
It has a really wide spread usage in the world of proxying.