- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Mon, 25 Mar 2013 12:39:55 +0100
- To: "Martin J. Dürst" <duerst@it.aoyama.ac.jp>
- CC: Mark Nottingham <mnot@mnot.net>, ietf-http-wg@w3.org
On 2013-03-25 10:25, "Martin J. Dürst" wrote: > On 2013/03/19 5:46, Julian Reschke wrote: >> On 2013-03-18 21:02, Mark Nottingham wrote: >>> Have you done any testing around what UAs currently do with RFC5987 >>> encoding there, or just UTF-8? >>> ... >> >> Apparently they do either ISO-8859-1, or use the UA's locale (see >> discussion on http-auth). >> >> I haven't tried RFC5987, but I'm pretty sure nobody supports it (will >> add test case soonish). >> >> We may want to leave "realm" alone, and instead add something for >> display purposes ("prompt", "name"?). > > I haven't worked this out, and it's not my area of expertise, so I'm > just writing this up so that it doesn't get forgotten: > > If the "realm" and the "display name" are separate, that might lead to > some subtle security issues (same display name but different realms,...). Indeed. If we did this, we would recommend to always display the realm *as well*. Best regards, Julian
Received on Monday, 25 March 2013 11:40:28 UTC