- From: Henrik Nordstrom <henrik@henriknordstrom.net>
- Date: Wed, 11 Nov 2009 23:52:08 +0100
- To: Nicolas Alvarez <nicolas.alvarez@gmail.com>
- Cc: ietf-http-wg@w3.org
ons 2009-11-11 klockan 16:36 -0300 skrev Nicolas Alvarez: > Thomas Broyer wrote: > > http-cookie-auth is totally backwards compatible (except unfortunately > > with Opera pre-10.0, as Opera will then display an error page about > > the auth scheme not being supported); > > To avoid this problem again: does the spec say what user agents should do if > they find an unrecognized auth scheme? (ignore vs fail) Relevant quote from RFC2617 which is still the authorative document on this: The user agent MUST choose to use one of the challenges with the strongest auth-scheme it understands and request credentials from the user based upon that challenge. Wording in RFC2617 is not the greatest, but imho it's pretty clear to anyone reading the document that scheme is extensible with new schemes and unknown schemes should be ignored by the user agent. What is unspecified is how the user agent should behave if none of the provided challenges is understood. It seems to me that most user agents then fall back on basic auth with unspecified realm which imho is not a bad thing to do. Both unlikely to be accepted by the server AND exposing password details in the plain for no good value, better to abort the request with an error. Regards Henrik
Received on Wednesday, 11 November 2009 22:52:41 UTC