Discussion of header injection is problematic #19
Description
The current API overview mentions that in-network auth for this mechanism might happen through header injection. This is incompatible with a fully encrypted web, and it's the sort of thing UAs should not grandfather in for a special case.
Is there some other way that can be recommended? Source IP addr (given network ownership)? Client certs?