W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: Authorization with WWW-Authenticate (bis)

From: Sylvain Hellegouarch <sh@defuze.org>
Date: Thu, 12 Nov 2009 20:25:41 +0100
Message-ID: <4AFC6135.4060802@defuze.org>
To: Thomas Broyer <t.broyer@gmail.com>
CC: Henrik Nordstrom <henrik@henriknordstrom.net>, Nicolas Alvarez <nicolas.alvarez@gmail.com>, ietf-http-wg@w3.org
Thomas Broyer a écrit :
> On Wed, Nov 11, 2009 at 11:52 PM, Henrik Nordstrom wrote:
>   
>> What is unspecified is how the user agent should behave if none of the
>> provided challenges is understood. It seems to me that most user agents
>> then fall back on basic auth with unspecified realm which imho is not a
>> bad thing to do. Both unlikely to be accepted by the server AND exposing
>> password details in the plain for no good value, better to abort the
>> request with an error.
>>     
>
> All user agents I tested just displayed the response entity, except
> Opera pre-10 which displayed an error page about the auth scheme not
> being recognized:
> http://hg.ltgt.net/http-cookie-auth/raw-file/tip/ua-compat.html
>
>   
Based on the context this scheme would be used (meaning I assume mostly 
along with Ajax), I guess this shouldn't be much of a problem anyway.

- Sylvain
Received on Thursday, 12 November 2009 19:26:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:13 GMT