- From: Thomas Broyer <t.broyer@gmail.com>
- Date: Thu, 12 Nov 2009 00:12:13 +0100
- To: Henrik Nordstrom <henrik@henriknordstrom.net>
- Cc: Nicolas Alvarez <nicolas.alvarez@gmail.com>, ietf-http-wg@w3.org
On Wed, Nov 11, 2009 at 11:52 PM, Henrik Nordstrom wrote: > > What is unspecified is how the user agent should behave if none of the > provided challenges is understood. It seems to me that most user agents > then fall back on basic auth with unspecified realm which imho is not a > bad thing to do. Both unlikely to be accepted by the server AND exposing > password details in the plain for no good value, better to abort the > request with an error. All user agents I tested just displayed the response entity, except Opera pre-10 which displayed an error page about the auth scheme not being recognized: http://hg.ltgt.net/http-cookie-auth/raw-file/tip/ua-compat.html -- Thomas Broyer /tɔ.ma.bʁwa.je/
Received on Wednesday, 11 November 2009 23:12:52 UTC