- From: Thomas Broyer <t.broyer@gmail.com>
- Date: Fri, 23 Oct 2009 23:46:27 +0200
- To: sh@defuze.org
- Cc: ietf-http-wg@w3.org
On Fri, Oct 23, 2009 at 5:57 PM, Sylvain Hellegouarch wrote: > > Following http://www.w3.org/Protocols/HTTP/1.1/rfc2616bis/issues/#i78 I've > been left wondering how to convey the following semantic with HTTP: > > * The request was not fulfilled due to authorization failure and the > server (does not wish to)/(cannot) specify which scheme must be used. > > The context is based on HTTP requests issued from Javascript along with a > cookie based authentication system. > > RFC 2616 tells me I cannot reply neither with a 401 without a scheme nor > can I use a 403 since subsequent Authorization would not help. > > At first I was tempted to simply use one of the 30x code to inform the > Javascript handler that it should act accordingly but browsers don't > bubble up 30x responses to the Javascript stack which leaves me the > already burdened 400. > > There seemed to be a consensus two years ago not to split the > Authorization header from its WWW-Authenticate friend but to me the > semantic of one without the other remains. > > Today I'm merely seeking the group advice on what would be the best > decision to make. Help me advancing and finishing "HTTP Cookie Auth" ;-) http://tools.ietf.org/html/draft-broyer-http-cookie-auth http://hg.ltgt.net/http-cookie-auth/ (this is only a matter of time I have available to work on it –much less than I'd like–, do not see the absence of work as a giving up) -- Thomas Broyer /tɔ.ma.bʁwa.je/
Received on Friday, 23 October 2009 21:47:00 UTC