- From: Michael Sweet <msweet@apple.com>
- Date: Wed, 30 Oct 2013 11:00:32 -0400
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Julian, On Oct 30, 2013, at 10:50 AM, Julian Reschke <julian.reschke@gmx.de> wrote: > On 2013-10-30 15:39, Michael Sweet wrote: >> Julian, >> >> This might be a case of what-is-defined vs. what-is-used, but in my experience user agents/clients don't support multiple WWW-Authenticate headers and often do not look past the first challenge in the value. > > Multiple challenges in one header field: <http://greenbytes.de/tech/tc/httpauth/#multibasicunknown2> (fail for everyone except Safari and Konqueror) > > Multiple header field instances: <http://greenbytes.de/tech/tc/httpauth/#multibasicunknown2mf> (seems to work interoperably) I'm glad to see the multiple header situation has improved; my last experiments with this 3-4 years ago (trying to support simultaneous Basic and Negotiate auth for CUPS) were not successful at all... >> Given that the current p1-messaging draft says that senders MUST NOT repeat headers (section 3.2.2) and that WWW-Authenticate is not listed as an exception like Set-Cookie, I think it would be appropriate/safe to drop the "or if more than one WWW-Authenticate header field is provided" part in p7-auth. > > <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p1-messaging-24.html#rfc.section.3.2.2.p.2>: > > "A sender MUST NOT generate multiple header fields with the same field name in a message unless either the entire field value for that header field is defined as a comma-separated list [i.e., #(values)] or the header field is a well-known exception (as noted below)." > > So WWW-Authenticate does not need to be listed as exception because it *does* use the list syntax. > > Best regards, Julian > _________________________________________________________ Michael Sweet, Senior Printing System Engineer, PWG Chair
Received on Wednesday, 30 October 2013 14:59:59 UTC