- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 22 Sep 2010 17:07:09 +0200
- To: HTTP Working Group <ietf-http-wg@w3.org>
On 13.09.2010 17:58, Julian Reschke wrote:
> Hi,
>
> I just applied the (slightly modified) changes with
> <http://trac.tools.ietf.org/wg/httpbis/trac/changeset/998>; which means
> that ticket 237 can be closed once the next draft is out.
>
> If there are issues with the text that was added we probably should
> treat them as new bugs.
>
> Best regards, Julian
Hi,
there was a left-over from this change... RFC 2617 says in
<http://greenbytes.de/tech/webdav/rfc2617.html#rfc.section.1.2.p.9>:
"Note that many browsers will only recognize Basic and will require that
it be the first auth-scheme presented. Servers should only include Basic
if it is minimally acceptable."
This has two problems: first of all, it's in the wrong place (it should
be close to the definition of challenges, not credentials). Second, this
was written in 1999, and surely isn't true anymore. Right? RIGHT?
Wrong.
I checked with
1.
WWW-Authenticate: BASIC realm="basic", UNKNOWN realm="xyz"
2.
WWW-Authenticate: UNKNOWN realm="xyz", BASIC realm="basic"
and
3.
WWW-Authenticate: UNKNOWN realm="xyz"
WWW-Authenticate: BASIC realm="basic"
...and indeed, only variant 1) worked in all browsers
(FF/IE/Chrome/Safari/Opera) I tried. The only browser that seems to grok
options 2 and 3 is Safari.
So, apparently a warning is still needed. I have rephrased the Note to:
Note: Many browsers fail to parse challenges containing unknown
schemes. A workaround for this problem is to list well-supported
schemes (such as "basic") first.
and moved it up below the other note on parsing challenges (see
<http://trac.tools.ietf.org/wg/httpbis/trac/changeset/1018>).
With respect to the actual browser bug(s): is anybody aware of existing
bugs in the bug tracking systems? Do we need to raise new ones?
Best regards, Julian
Received on Wednesday, 22 September 2010 15:07:48 UTC