Most HTTP authentication schemes are probeable in the sense that it is possible for an unauthenticated client to probe whether an origin