- From: Sylvain Hellegouarch <sh@defuze.org>
- Date: Fri, 23 Oct 2009 17:57:01 +0200 (CEST)
- To: ietf-http-wg@w3.org
Hi all, Following http://www.w3.org/Protocols/HTTP/1.1/rfc2616bis/issues/#i78 I've been left wondering how to convey the following semantic with HTTP: * The request was not fulfilled due to authorization failure and the server (does not wish to)/(cannot) specify which scheme must be used. The context is based on HTTP requests issued from Javascript along with a cookie based authentication system. RFC 2616 tells me I cannot reply neither with a 401 without a scheme nor can I use a 403 since subsequent Authorization would not help. At first I was tempted to simply use one of the 30x code to inform the Javascript handler that it should act accordingly but browsers don't bubble up 30x responses to the Javascript stack which leaves me the already burdened 400. There seemed to be a consensus two years ago not to split the Authorization header from its WWW-Authenticate friend but to me the semantic of one without the other remains. Today I'm merely seeking the group advice on what would be the best decision to make. Thanks, - Sylvain -- Sylvain Hellegouarch http://www.defuze.org
Received on Friday, 23 October 2009 15:57:29 UTC