W3C home > Mailing lists > Public > www-validator@w3.org > February 2015

w3c validator 401 Authorized Required Prompt not working

From: Butler, Aaron L <aaron.l.butler@lmco.com>
Date: Wed, 11 Feb 2015 16:43:43 +0000
To: "www-validator@w3.org" <www-validator@w3.org>
Message-ID: <132E32EB93DFCE4380268012279E33583DD4D4B1@HDXDSP32.us.lmco.com>
Good Afternoon All,
I've received the below error message when trying to validate a webpage that requires credentials.   The bigger issue is thatW3C Validator didn't open a prompt window.  I have a local version installed, but is there something I could do to trigger the username/password window to open?

Authorization Required

Sorry, I am not authorized to access the specified URL.

The URL you specified, <http://madeupsite.com/>, returned a 401 "authorization required" response when I tried to download it.

You should have been prompted by your browser for a username/password pair; if you had supplied this information, I would have forwarded it to your server for authorization to access the resource. You can use your browser's "reload" function to try again, if you wish.

Of course, you may not want to trust me with this information, which is fine. I can tell you that I don't log it or do anything else nasty with it, and you can download the source code for this service to see what it does, but you have no guarantee that this is actually the code I'm using; you basically have to decide whether to trust me or not :-)

You should also be aware that the way we proxy this authentication information defeats the normal working of HTTP Authentication. If you authenticate to server A, your browser may keep sending the authentication information to us every time you validate a page, regardless of what server it's on, and we'll happily pass that on to the server thereby making it possible for a malicious server operator to capture your credentials.

Due to the way HTTP Authentication works there is no way we can avoid this. We are using some "tricks" to fool your client into not sending this information in the first place, but there is no guarantee this will work. If security is a concern to you, you may wish to avoid validating protected resources or take extra precautions to prevent your browser from sending authentication information when validating other servers.

Also note that you shouldn't use HTTP Basic Authentication for anything which really needs to be private, since the password goes across the network unencrypted.


NOTE: Whenever possible, give the address of the document you were checking..





Thank you,

Aaron L. Butler
Received on Friday, 13 February 2015 12:27:46 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 14:18:12 UTC