RE: Set-Cookie vs list header parsing (i129)

Dan Winship wrote:
> Julian Reschke wrote:
> > I don't think that changing things just because some 
> > implementations get them wrong is on our agenda.
> I didn't mean to suggest actually changing the header merging rules.
> Maybe I should have said "proxies should not merge" rather 
> than "proxies SHOULD NOT merge". Advice, not requirements.

IMO, that is not much different. "SHOULD" is only used for advise; by
definition it means the same thing as "RECOMMENDED."

> Basically, we know that multiple implementations get this 
> section wrong in different ways (the cookie spec, the 
> WWW-Authenticate bugs, the ignoring-multiple-header bugs 
> Brian mentioned), so this is a really good place to "be 
> conservative in what you send" (meaning multiples of 
> Set-Cookie, WWW-Authenticate, and Proxy-Authenticate, and no 
> multiples of anything else).

I agree 100%.

Dan, you mentioned 3 of the top 4 browsers cannot handle a merged
WWW-Authenticate. Which one got it right?


Received on Thursday, 28 August 2008 15:08:43 UTC