- From: Sylvain Hellegouarch <sh@defuze.org>
- Date: Sat, 24 Oct 2009 15:17:43 +0200
- To: Thomas Broyer <t.broyer@gmail.com>
- CC: ietf-http-wg@w3.org
Thomas Broyer a écrit : > On Fri, Oct 23, 2009 at 5:57 PM, Sylvain Hellegouarch wrote: > >> Following http://www.w3.org/Protocols/HTTP/1.1/rfc2616bis/issues/#i78 I've >> been left wondering how to convey the following semantic with HTTP: >> >> * The request was not fulfilled due to authorization failure and the >> server (does not wish to)/(cannot) specify which scheme must be used. >> >> The context is based on HTTP requests issued from Javascript along with a >> cookie based authentication system. >> >> RFC 2616 tells me I cannot reply neither with a 401 without a scheme nor >> can I use a 403 since subsequent Authorization would not help. >> >> At first I was tempted to simply use one of the 30x code to inform the >> Javascript handler that it should act accordingly but browsers don't >> bubble up 30x responses to the Javascript stack which leaves me the >> already burdened 400. >> >> There seemed to be a consensus two years ago not to split the >> Authorization header from its WWW-Authenticate friend but to me the >> semantic of one without the other remains. >> >> Today I'm merely seeking the group advice on what would be the best >> decision to make. >> > > Help me advancing and finishing "HTTP Cookie Auth" ;-) > http://tools.ietf.org/html/draft-broyer-http-cookie-auth > http://hg.ltgt.net/http-cookie-auth/ > > (this is only a matter of time I have available to work on it –much > less than I'd like–, do not see the absence of work as a giving up) > > Hi Thomas, This is indeed a good starting point. I went through your proposal and I'm a bit unclear about the actual end-to-end workflow performed by the UA. I'm not sure to understand how the different directives would be applied. - Sylvain
Received on Saturday, 24 October 2009 13:18:09 UTC