- From: Alexey Melnikov <alexey.melnikov@isode.com>
- Date: Fri, 29 Jun 2012 16:52:58 +0100
- To: Mark Nottingham <mnot@mnot.net>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
Hi Mark, On 20/06/2012 03:04, Mark Nottingham wrote: > Looking at this, I think this language in the spec isn't very good for other reasons as well: > >> If the origin server does not wish to accept the credentials sent with a request, it should return a 401 (Unauthorized) response. The responsemust include a WWW-Authenticate header field containing at least one (possibly new) challenge applicable to the requested resource. >> >> If a proxy does not accept the credentials sent with a request, it should return a 407 (Proxy Authentication Required) response. The responsemust include a Proxy-Authenticate header field containing a (possibly new) challenge applicable to the proxy for the requested resource. > Because "accept" can be read in so many ways. I think we can fix both problems with something like: > > """ > Requests for protected resources that omit credentials, contain invalid credentials (e.g., a bad password), or partial credentials (e.g., when the scheme requires more than one round trip) SHOULD return a 401 (Unauthorized) response. Such responses MUST include a WWW-Authenticate header field containing at least one (possibly new) challenge applicable to the requested resource. > > Likewise, requests that require authentication by proxies that omit credentials, or contain invalid or partial credentials SHOULD return a 407 (Proxy Authentication Required) response. The response MUST include a Proxy-Authenticate header field containing a (possibly new) challenge applicable to the proxy. > """ > > Thoughts? This reads better, yes.
Received on Friday, 29 June 2012 15:53:31 UTC