W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: #516 note about WWW-A parsing potentially misleading

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 30 Oct 2013 15:50:21 +0100
Message-ID: <52711CAD.6040309@gmx.de>
To: Michael Sweet <msweet@apple.com>
CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On 2013-10-30 15:39, Michael Sweet wrote:
> Julian,
>
> This might be a case of what-is-defined vs. what-is-used, but in my experience user agents/clients don't support multiple WWW-Authenticate headers and often do not look past the first challenge in the value.

Multiple challenges in one header field: 
<http://greenbytes.de/tech/tc/httpauth/#multibasicunknown2> (fail for 
everyone except Safari and Konqueror)

Multiple header field instances: 
<http://greenbytes.de/tech/tc/httpauth/#multibasicunknown2mf> (seems to 
work interoperably)

> Given that the current p1-messaging draft says that senders MUST NOT repeat headers (section 3.2.2) and that WWW-Authenticate is not listed as an exception like Set-Cookie, I think it would be appropriate/safe to drop the "or if more than one WWW-Authenticate header field is provided" part in p7-auth.

<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p1-messaging-24.html#rfc.section.3.2.2.p.2>:

"A sender MUST NOT generate multiple header fields with the same field 
name in a message unless either the entire field value for that header 
field is defined as a comma-separated list [i.e., #(values)] or the 
header field is a well-known exception (as noted below)."

So WWW-Authenticate does not need to be listed as exception because it 
*does* use the list syntax.

Best regards, Julian
Received on Wednesday, 30 October 2013 14:50:55 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:18 UTC