Re: #516 note about WWW-A parsing potentially misleading

Julian,

This might be a case of what-is-defined vs. what-is-used, but in my experience user agents/clients don't support multiple WWW-Authenticate headers and often do not look past the first challenge in the value.

Given that the current p1-messaging draft says that senders MUST NOT repeat headers (section 3.2.2) and that WWW-Authenticate is not listed as an exception like Set-Cookie, I think it would be appropriate/safe to drop the "or if more than one WWW-Authenticate header field is provided" part in p7-auth.


On Oct 30, 2013, at 10:10 AM, Julian Reschke <julian.reschke@gmx.de> wrote:

> Hi there,
> 
> <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p7-auth-24.html#rfc.section.4.4>:
> 
> "User agents are advised to take special care in parsing the WWW-Authenticate field value as it might contain more than one challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a comma-separated list of authentication parameters."
> 
> This is text that we copied from RFC 2616 (<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.47>). However, isn't the
> 
> "...if more than one WWW-Authenticate header field is provided..."
> 
> incorrect?
> 
> What's contained in a challenge does not depend on the number of header field instances, after all.
> 
> Best regards, Julian
> 

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

Received on Wednesday, 30 October 2013 14:38:54 UTC