W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2012

RE: [XHR] Authentication prompt during send()

From: Hobbs, Timothy <Timothy.Hobbs@ca.com>
Date: Thu, 26 Apr 2012 17:00:45 +0000
To: Anne van Kesteren <annevk@opera.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <3F9B5FD3407EA849AF6A63F3D4A760AA23FBBFDD@usilms110b.ca.com>
> -----Original Message-----
> From: Anne van Kesteren [mailto:annevk@opera.com]
> Sent: 26 April 2012 14:38
> On Tue, 17 Apr 2012 14:40:33 +0200, Hobbs, Timothy
> <Timothy.Hobbs@ca.com>
> wrote:
> > Is my interpretation of the XMLHttpRequest specification flawed, is
> > there a need for the browser behavior to change, or is my requirement
> > just not serious enough?
> 
> The idea is that if you provide user/password, the browser does not transmit
> them to the server but first waits to get challenged. If challenged another
> request is made with the appropriate user/password. If that fails the user
> should not be prompted. 
Ok, this is the crux of my question as every browser I have tried will (incorrectly?) prompt.

> However, I believe this behavior has not been
> universally implemented thus far and the way HTTP authentication works
> does not make it easy to write tests for. (At least I've had trouble creating
> exhaustive tests and reverse engineering the appropriate behavior so I
> mostly gave up and have been hoping for someone to fill me in on the
> details.)
Does this mean that if we had tests we could get the browsers to follow the spec or
does this mean that the spec is going to describe the existing (imo incorrect) behaviour? 
I'm interested in having the behaviour described in the spec, not the actual behaviour
that browsers are showing. 

--
Tim Hobbs
Received on Thursday, 26 April 2012 17:01:16 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:52 GMT