- From: Michael Sweet <msweet@apple.com>
- Date: Wed, 30 Oct 2013 10:39:44 -0400
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Julian, This might be a case of what-is-defined vs. what-is-used, but in my experience user agents/clients don't support multiple WWW-Authenticate headers and often do not look past the first challenge in the value. Given that the current p1-messaging draft says that senders MUST NOT repeat headers (section 3.2.2) and that WWW-Authenticate is not listed as an exception like Set-Cookie, I think it would be appropriate/safe to drop the "or if more than one WWW-Authenticate header field is provided" part in p7-auth. On Oct 30, 2013, at 10:10 AM, Julian Reschke <julian.reschke@gmx.de> wrote: > Hi there, > > <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p7-auth-24.html#rfc.section.4.4>: > > "User agents are advised to take special care in parsing the WWW-Authenticate field value as it might contain more than one challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a comma-separated list of authentication parameters." > > This is text that we copied from RFC 2616 (<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.47>). However, isn't the > > "...if more than one WWW-Authenticate header field is provided..." > > incorrect? > > What's contained in a challenge does not depend on the number of header field instances, after all. > > Best regards, Julian > _________________________________________________________ Michael Sweet, Senior Printing System Engineer, PWG Chair
Received on Wednesday, 30 October 2013 14:38:54 UTC