- From: Dave Kristol <dmk@research.bell-labs.com>
- Date: Fri, 1 May 1998 14:46:16 -0400 (EDT)
- To: http-wg@cuckoo.hpl.hp.com
3.2.1 The WWW-Authenticate Response Header
domain
A space-separated list of URIs, as specified in RFC XURI [7]. The
intent is that the client could use this information to know the set
of URIs for which the same authentication information should be sent.
The URIs in this list may exist on different servers. If this keyword
is omitted or empty, the client should assume that the domain
consists of all URIs on the responding server.
I'm uncomfortable with what the words say, and whether they say what
they're meant to say. In truth I'm concerned about how much they
*don't* say.
I believe one intent is that something like
domain="/dir/"
means the credentials should be applied to all URIs of the form /dir/*.
But I don't think the words say that.
I also wonder whether implementers think that
domain="/xyz"
means "URI /xyz and all /xyz/*", or just the URI /xyz. The notion of
"prefix" (which I think is implied here) is poorly defined (well,
completely undefined), and I don't know what the consensus opinion is.
Moreover, the consensus opinion should be made explicit.
Dave Kristol
Received on Friday, 1 May 1998 11:53:15 UTC