- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 09 Jan 2013 18:40:23 +0100
- To: Alexander Dutton <alexander.dutton@oucs.ox.ac.uk>
- CC: ietf-http-wg@w3.org
On 2013-01-09 18:32, Alexander Dutton wrote: > Also worth noting the WWW-Authenticate header, which takes > comma-separated values, themselves containing unquoted commas (and so > breaks the alleged unwritten rule), e.g.: > > WWW-Authenticate: Bearer realm="example.org", error="invalid_token", > Basic realm="example.org" > > The division between items is the comma-space before a token not > followed by a comma-space. > > (Yes, I've had fun because of this) > > Yours, > > Alex Indeed. WWW-Authenticate is as bad as Set-Cookie, just in a different way. At least it's *possible* to process properly. See also <http://greenbytes.de/tech/tc/httpauth/#multidisgscheme>. Best regards, Julian
Received on Wednesday, 9 January 2013 17:40:52 UTC