- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Wed, 30 Oct 2013 15:40:51 +0100
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: ietf-http-wg@w3.org
* Julian Reschke wrote: >Hi there, > ><http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p7-auth-24.html#rfc.section.4.4>: > >"User agents are advised to take special care in parsing the >WWW-Authenticate field value as it might contain more than one >challenge, or if more than one WWW-Authenticate header field is >provided, the contents of a challenge itself can contain a >comma-separated list of authentication parameters." > >This is text that we copied from RFC 2616 >(<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.47>). >However, isn't the > >"...if more than one WWW-Authenticate header field is provided..." > >incorrect? > >What's contained in a challenge does not depend on the number of header >field instances, after all. The intent may have been to emphasise that having only one challenge per WWW-Authenticate header does not mean no special care has to be taken. I agree that it can be confusing; replacing the sub clause by "and" should be fine. (User agents should also take special care handling multiple headers; it can make a difference whether you parse them individually or merge them first and then parse the whole value; e.g. two individually malformed values might turn into a well-formed value. But WWW-Authenticate is not special in that regard.) -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Wednesday, 30 October 2013 14:41:21 UTC