W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2013

WGLC p7: Parsing auth challenges

From: Ben Niven-Jenkins <ben@niven-jenkins.co.uk>
Date: Mon, 29 Apr 2013 19:55:38 +0100
Message-Id: <8F6FB0A1-4D7E-4847-92A7-14B240FAC23A@niven-jenkins.co.uk>
To: HTTP Working Group <ietf-http-wg@w3.org>

In sections 2.1 & 4.4 (and by reference 4.2) of p7 User Agents are guided to take "special care" when parsing WWW-Authenticate and/or Proxy-Authenticate header field values, but it is never plainly stated what that means.

From the grammar, it looks as if the critical distinction is that (ignoring any allowed whitespace for brevity):

A sequence "," token "=" means we are now receiving a parameter to an existing challenge. This is guaranteed because the "=" and value are non-optional components of auth-param. (The grammar would be unresolvably ambiguous otherwise.)

A sequence "," token and anything other than "=" means we are now receiving the start of a new challenge. This is guaranteed because token68 may not contain "," and token (for a following auth-param) may not be empty. (The grammar would be unresolvably ambiguous otherwise.)

(And if we don't get something, after whitespace elimination, which is either the end of the header field value or a token after the ",", then the value is invalid and should be rejected.)

If that interpretation is correct, it would be helpful to state this clearly, rather than merely infer it. (And if that interpretation is not correct, clearly relying on inference alone is unreliable!)

There is perhaps still the question of whether in the face of multiple WWW/Proxy-Authenticate headers, the implied "," separating their values according to #rule is still allowed to operate at both levels of the grammar, or only at the outermost (#challenge) level.

Received on Monday, 29 April 2013 18:56:00 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:10 UTC