Re: The Hypertext Transfer Protocol (HTTP) Authentication-Info Header Field

On 28/01/2015 11:59 p.m., Julian Reschke wrote:
> On 2015-01-28 10:59, Amos Jeffries wrote:
>> ...
>> I think its a good idea.
>> ...
> 
> Thanks.
> 
>> It is also worth noting at this point that those headers are already in
>> use in the wild (by Squid at least) for Negotiate scheme in a way that
>> does not match the ABNF. Instead they just echo back from the server the
>> accepted "Negotiate <token>" credentials received from the client.
>> ...
> 
> Well, Negotiate already is that weirdo (see RFC 7236).
> 
> We *could* define Authentication-Info without having an ABNF, but I'd
> prefer to stick to what RFC 2617 said (it's flexible enough).
> 
>> I am not sure exactly why Squid does this, I've queried our dev team to
>> see if anyone knows.
> 
> Thanks. It's certainly not document in the RFC. In a quick search, I
> also found <http://curl.haxx.se/mail/archive-2009-02/0106.html>.
> 
> Best regards, Julian
> 

After some investigation it seems there is no other software out there
doing this and we can find no clients making use of it. The curl
references all seem to be people operating curl through a Squid.

So FYI, I will be removing the odd syntax use from all the upcoming
Squid releases (3.5.2 and 3.4.12 onward).

Amos

Received on Saturday, 31 January 2015 14:05:19 UTC