We should write a few simple tests to see which implementations require acl:Read access to receive notifications about a given resource on websockets-pubsub. The test suite sends auth headers by default, but these were only a recent proposal and I think most implementations ignore them and just stream notifications to anyone who connects and asks for it. Related to the age-old nodeSolidServer/node-solid-ws#1.
The reporting on these tests should obviously reflect that auth headers are still experimental in websockets-pubsub and they are not yet required by the spec. Still, it's a potential security issue if they're ignored, so worth testing.
We should write a few simple tests to see which implementations require
acl:Readaccess to receive notifications about a given resource on websockets-pubsub. The test suite sends auth headers by default, but these were only a recent proposal and I think most implementations ignore them and just stream notifications to anyone who connects and asks for it. Related to the age-old nodeSolidServer/node-solid-ws#1.The reporting on these tests should obviously reflect that auth headers are still experimental in websockets-pubsub and they are not yet required by the spec. Still, it's a potential security issue if they're ignored, so worth testing.