- From: Thomas Broyer <t.broyer@gmail.com>
- Date: Sun, 1 Feb 2009 11:25:54 +0100
- To: ietf-http-wg@w3.org
Hi Mark, On Fri, Jan 23, 2009 at 1:25 AM, Mark Nottingham wrote: > > We're not chartered to do extension work, but you can certainly use the > mailing list for review and discussion. > > BTW, this sounds a little bit like a previous discussion; > http://www.w3.org/mid/76F49FF4-54D7-4917-85A3-A0D648E57C7E@mnot.net Thanks for the pointer! For those interested, I conducted some tests on 5 browsers (IE7, Safari 3.2.1, Opera 9.63, Firefox 3.0.5 and Chrome 1.0.154.46; all on Windows Vista). The tests were done with *.asis files served first with Apache mod_asis (to ensure proper HTTP) and then with a dummy HTTP server [1] (to ensure no transformation on response headers). Results were identical whichever the serving method. Here they are: http://ltgt.net/tests/http-cookie-auth/location-in-401.asis http://hg.ltgt.net/http-cookie-auth/raw-file/tip/tests/location-in-401.asis No browser ever redirected to the given location (which is probably a good thing). Given the use of WWW-Authenticate / Cookie, Opera showed an error page. I also tried with a 401 without WWW-Authenticate in Opera, and it then displayed the returned entity, just like the other browsers. http://ltgt.net/tests/http-cookie-auth/new-redirect-status.asis http://hg.ltgt.net/http-cookie-auth/raw-file/tip/tests/new-redirect-status.asis Only Safari honors the redirect, others just display the response as if it had been sent with a 200 status. http://ltgt.net/tests/http-cookie-auth/new-redirect-status-with-www-authentication.asis http://hg.ltgt.net/http-cookie-auth/raw-file/tip/tests/new-redirect-status-with-www-authentication.asis Same as above (note that Opera doesn't choke on the WWW-Authenticate as it's not sent in a 401) This tends to suggest that a 401 (or 407, or eventually 403 or 402, in the case you reported two years ago) with a custom WWW-Authenticate (or no WWW-Authenticate at all?) would be the solution with best compatibility among existing browsers (I didn't tried other UAs, such as wget); with a Refresh response header, "meta refresh" in the HTML body and/or javascript if you want/need to redirect. [1] http://hg.ltgt.net/http-cookie-auth/raw-file/tip/tests/asis.py -- Thomas Broyer
Received on Sunday, 1 February 2009 10:26:31 UTC