W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2010

parsing of unknown challenges, was: Ticket 237

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 22 Sep 2010 17:07:09 +0200
Message-ID: <4C9A1B9D.9010609@gmx.de>
To: HTTP Working Group <ietf-http-wg@w3.org>
On 13.09.2010 17:58, Julian Reschke wrote:
> Hi,
>
> I just applied the (slightly modified) changes with
> <http://trac.tools.ietf.org/wg/httpbis/trac/changeset/998>; which means
> that ticket 237 can be closed once the next draft is out.
>
> If there are issues with the text that was added we probably should
> treat them as new bugs.
>
> Best regards, Julian

Hi,

there was a left-over from this change... RFC 2617 says in 
<http://greenbytes.de/tech/webdav/rfc2617.html#rfc.section.1.2.p.9>:

"Note that many browsers will only recognize Basic and will require that 
it be the first auth-scheme presented. Servers should only include Basic 
if it is minimally acceptable."

This has two problems: first of all, it's in the wrong place (it should 
be close to the definition of challenges, not credentials). Second, this 
was written in 1999, and surely isn't true anymore. Right? RIGHT?

Wrong.

I checked with

1.

WWW-Authenticate: BASIC realm="basic", UNKNOWN realm="xyz"

2.

WWW-Authenticate: UNKNOWN realm="xyz", BASIC realm="basic"

and

3.

WWW-Authenticate: UNKNOWN realm="xyz"
WWW-Authenticate: BASIC realm="basic"

...and indeed, only variant 1) worked in all browsers 
(FF/IE/Chrome/Safari/Opera) I tried. The only browser that seems to grok 
options 2 and 3 is Safari.

So, apparently a warning is still needed. I have rephrased the Note to:

       Note: Many browsers fail to parse challenges containing unknown
       schemes.  A workaround for this problem is to list well-supported
       schemes (such as "basic") first.

and moved it up below the other note on parsing challenges (see 
<http://trac.tools.ietf.org/wg/httpbis/trac/changeset/1018>).

With respect to the actual browser bug(s): is anybody aware of existing 
bugs in the bug tracking systems? Do we need to raise new ones?

Best regards, Julian
Received on Wednesday, 22 September 2010 15:07:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:25 GMT