Re: XHR LC comments

Bjoern Hoehrmann wrote:
> * Julian Reschke wrote:
>> Julian Reschke wrote:
>>> Anne van Kesteren wrote:
>>>  > ...
>>>>  From what I recall at least Firefox does it that way in practice. 
>>>> Currently it does not give any indication what kind of character 
>>>> encoding needs to be used so we picked the most obvious one.
>>>> ...
>>> I just tried, and as far I can tell, it uses ISO-8859-1.
>> More tests reveal that IE, Firefox and Safari use ISO-8859-1, while 
>> Opera uses UTF-8. From my reading of RFC2617 and RFC2616, using 
>> ISO-8859-1 actually is correct (like it or not).
> 
> Assuming this is about the encoding of username and password in HTTP
> Basic Authentication, then I think your interpretation and tests are
> incorrect, or my contradictory results are no longer valid, see:
> 
>   http://lists.osafoundation.org/pipermail/ietf-http-auth/2006-September/000374.html

Interesting.

I should have mentioned that I made the assumption that UAs use the same 
encoding for both browser access (which I tested) and XHR. Apparently 
that is not the case (which makes things even worse from my p.o.v.).

> I believe the if-not-iso-8859-1 remark in RFC 2616 is irrelevant here
> as you have to pick a character encoding before you apply the base64
> transformation. It is the base64 encoded string that the 2616 remark
> would apply to.

Nope.

 From <http://greenbytes.de/tech/webdav/rfc2617.html#rfc.section.2>:

       credentials = "Basic" basic-credentials
       basic-credentials = base64-user-pass
       base64-user-pass  = <base64 [4] encoding of user-pass,
                        except not limited to 76 char/line>
       user-pass   = userid ":" password
       userid      = *<TEXT excluding ":">
       password    = *TEXT

So, userid and password both allow ISO-8859-1 (via TEXT), and their 
contents get base64-encoded.

> I would be interested to know what Internet Explorer 7 on a system does
> where the default code page is not CP1252, my suspicion would be that
> the default code page is used, rather than Windows-1252, but I lack the
> setup to confirm or deny that at the moment. If anyone is going to test
> this, posting the results to the http-auth list would be a good idea.

I recall that people mentioned somewhere else that the encoding can 
depend on the locale, both for IIS and IE.

The situation *is* bad, but claiming that UTF-8 is what's in use IMHO is 
incorrect.

Yes, the I18N problems of Basic Authentication need to be fixed, but XHR 
is not the right place to do it.

BR, Julian

Received on Tuesday, 27 May 2008 16:12:51 UTC