W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: #516 note about WWW-A parsing potentially misleading

From: Michael Sweet <msweet@apple.com>
Date: Wed, 30 Oct 2013 10:39:44 -0400
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-id: <7F7F3050-9B77-4E27-AD23-4E0BEF2F530A@apple.com>
To: Julian Reschke <julian.reschke@gmx.de>
Julian,

This might be a case of what-is-defined vs. what-is-used, but in my experience user agents/clients don't support multiple WWW-Authenticate headers and often do not look past the first challenge in the value.

Given that the current p1-messaging draft says that senders MUST NOT repeat headers (section 3.2.2) and that WWW-Authenticate is not listed as an exception like Set-Cookie, I think it would be appropriate/safe to drop the "or if more than one WWW-Authenticate header field is provided" part in p7-auth.


On Oct 30, 2013, at 10:10 AM, Julian Reschke <julian.reschke@gmx.de> wrote:

> Hi there,
> 
> <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p7-auth-24.html#rfc.section.4.4>:
> 
> "User agents are advised to take special care in parsing the WWW-Authenticate field value as it might contain more than one challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a comma-separated list of authentication parameters."
> 
> This is text that we copied from RFC 2616 (<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.47>). However, isn't the
> 
> "...if more than one WWW-Authenticate header field is provided..."
> 
> incorrect?
> 
> What's contained in a challenge does not depend on the number of header field instances, after all.
> 
> Best regards, Julian
> 

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair
Received on Wednesday, 30 October 2013 14:38:54 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:18 UTC