W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2008

Re: Basic Authentication and encoding of non-ASCII characters in credentials

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 28 May 2008 10:51:14 +0200
Message-ID: <483D1D02.5030100@gmx.de>
To: Martin Duerst <duerst@it.aoyama.ac.jp>
CC: ietf-http-wg@w3.org

Martin Duerst wrote:
> At 01:46 08/05/28, Julian Reschke wrote:
>> Hi,
>> we recently discussed this over at the W3C webapi discussion list, and it turns out that, at least for Firefox, the encoding that is being used depends on whether the browser itself does the authentication (ISO8859-1 plus bugs for non-ISO characters), or whether it's XMLHTTPRequest (UTF-8).
>> To me that looks like a totally bizarre design.
> To me, it looks like no design at all. Whoever did the original stuff
> didn't think about non-ASCII, or didn't have much of an idea.
> In my opinion, UTF-8 is the right long-term solution, and the sooner
> we get there, the better.
> Regards,    Martin.

I would like Basic Auth to use UTF-8. But: this has been discussed again 
and again of the last years, and I think we haven't come to a consensus 
that it *can* be changed.

For instance, I know by first hand of people in Europe relying that 
(non-ASCII) ISO-8859-1 characters in credentials work in Basic 
Authentication, and the clients and servers these people depend on use 
ISO-8859-1 as encoding.

Choosing different encodings in the same UA depending who generated the 
HTTP request is just bizarre, and will not help solving the problem.

It seems an easy way to make progress would be to define "Basic2" (using 
UTF-8), and try to get it supported in the open source browser engines 
(FF/Webkit) and Apache httpd.

BR, Julian

PS: we would still need to discuss whether it should be otherwise 
compatible with Basic, or whether we would want to fix other things as 
well, such as the inability to have colon character in the user name.
Received on Wednesday, 28 May 2008 08:52:01 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:46 UTC