- From: Willy Tarreau <w@1wt.eu>
- Date: Sat, 29 Oct 2011 16:29:26 +0200
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Sat, Oct 29, 2011 at 02:38:14PM +0200, Julian Reschke wrote: > > WWW-Authenticate: Newauth realm="apps" > > WWW-Authenticate: type=1 > > WWW-Authenticate: title="Login to \"apps\"" > > WWW-Authenticate: Basic realm="simple" > > ...except a recipient would allow to ignore the 2nd and the 3rd because, > in isolation, they do not conform to the header ABNF. Good point. (...) > indeed. WWW-Authenticate is a big mess, because it uses the same > delimiter *between* challenges and *inside* challenges. We can't change > that, but we can warn. Couldn't we suggest that new schemes must use semi-colon instead ? After all, existing parsers will have to be extended to support new schemes anyway, so making them support a more reliable syntax makes sense. > The spec already says (and has been in 2617): > > "User agents are advised to take special care in parsing the > WWW-Authenticate field value as it might contain more than one > challenge, or if more than one WWW-Authenticate header field is > provided, the contents of a challenge itself can contain a > comma-separated list of authentication parameters." I did not notice this warning, thanks for point it it to me. Regards, Willy
Received on Saturday, 29 October 2011 14:30:05 UTC