W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: Authorization with WWW-Authenticate (bis)

From: Thomas Broyer <t.broyer@gmail.com>
Date: Thu, 12 Nov 2009 00:12:13 +0100
Message-ID: <a9699fd20911111512u1924cb3bo571ff76aa97d846d@mail.gmail.com>
To: Henrik Nordstrom <henrik@henriknordstrom.net>
Cc: Nicolas Alvarez <nicolas.alvarez@gmail.com>, ietf-http-wg@w3.org
On Wed, Nov 11, 2009 at 11:52 PM, Henrik Nordstrom wrote:
>
> What is unspecified is how the user agent should behave if none of the
> provided challenges is understood. It seems to me that most user agents
> then fall back on basic auth with unspecified realm which imho is not a
> bad thing to do. Both unlikely to be accepted by the server AND exposing
> password details in the plain for no good value, better to abort the
> request with an error.

All user agents I tested just displayed the response entity, except
Opera pre-10 which displayed an error page about the auth scheme not
being recognized:
http://hg.ltgt.net/http-cookie-auth/raw-file/tip/ua-compat.html

-- 
Thomas Broyer
/tɔ.ma.bʁwa.je/
Received on Wednesday, 11 November 2009 23:12:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:13 GMT