W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: #516 note about WWW-A parsing potentially misleading

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Wed, 30 Oct 2013 15:40:51 +0100
To: Julian Reschke <julian.reschke@gmx.de>
Cc: ietf-http-wg@w3.org
Message-ID: <3t5279926noaa3t79mhf9mrbjepse3akhq@hive.bjoern.hoehrmann.de>
* Julian Reschke wrote:
>Hi there,
>
><http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p7-auth-24.html#rfc.section.4.4>:
>
>"User agents are advised to take special care in parsing the 
>WWW-Authenticate field value as it might contain more than one 
>challenge, or if more than one WWW-Authenticate header field is 
>provided, the contents of a challenge itself can contain a 
>comma-separated list of authentication parameters."
>
>This is text that we copied from RFC 2616 
>(<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.47>). 
>However, isn't the
>
>"...if more than one WWW-Authenticate header field is provided..."
>
>incorrect?
>
>What's contained in a challenge does not depend on the number of header 
>field instances, after all.

The intent may have been to emphasise that having only one challenge per
WWW-Authenticate header does not mean no special care has to be taken. I
agree that it can be confusing; replacing the sub clause by "and" should
be fine.

(User agents should also take special care handling multiple headers; it
can make a difference whether you parse them individually or merge them
first and then parse the whole value; e.g. two individually malformed
values might turn into a well-formed value. But WWW-Authenticate is not
special in that regard.)
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Wednesday, 30 October 2013 14:41:21 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:18 UTC