- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Tue, 27 May 2008 18:05:27 +0200
- To: Bjoern Hoehrmann <derhoermi@gmx.net>
- CC: "Web API WG (public)" <public-webapi@w3.org>
Bjoern Hoehrmann wrote: > * Julian Reschke wrote: >> Julian Reschke wrote: >>> Anne van Kesteren wrote: >>> > ... >>>> From what I recall at least Firefox does it that way in practice. >>>> Currently it does not give any indication what kind of character >>>> encoding needs to be used so we picked the most obvious one. >>>> ... >>> I just tried, and as far I can tell, it uses ISO-8859-1. >> More tests reveal that IE, Firefox and Safari use ISO-8859-1, while >> Opera uses UTF-8. From my reading of RFC2617 and RFC2616, using >> ISO-8859-1 actually is correct (like it or not). > > Assuming this is about the encoding of username and password in HTTP > Basic Authentication, then I think your interpretation and tests are > incorrect, or my contradictory results are no longer valid, see: > > http://lists.osafoundation.org/pipermail/ietf-http-auth/2006-September/000374.html Interesting. I should have mentioned that I made the assumption that UAs use the same encoding for both browser access (which I tested) and XHR. Apparently that is not the case (which makes things even worse from my p.o.v.). > I believe the if-not-iso-8859-1 remark in RFC 2616 is irrelevant here > as you have to pick a character encoding before you apply the base64 > transformation. It is the base64 encoded string that the 2616 remark > would apply to. Nope. From <http://greenbytes.de/tech/webdav/rfc2617.html#rfc.section.2>: credentials = "Basic" basic-credentials basic-credentials = base64-user-pass base64-user-pass = <base64 [4] encoding of user-pass, except not limited to 76 char/line> user-pass = userid ":" password userid = *<TEXT excluding ":"> password = *TEXT So, userid and password both allow ISO-8859-1 (via TEXT), and their contents get base64-encoded. > I would be interested to know what Internet Explorer 7 on a system does > where the default code page is not CP1252, my suspicion would be that > the default code page is used, rather than Windows-1252, but I lack the > setup to confirm or deny that at the moment. If anyone is going to test > this, posting the results to the http-auth list would be a good idea. I recall that people mentioned somewhere else that the encoding can depend on the locale, both for IIS and IE. The situation *is* bad, but claiming that UTF-8 is what's in use IMHO is incorrect. Yes, the I18N problems of Basic Authentication need to be fixed, but XHR is not the right place to do it. BR, Julian
Received on Tuesday, 27 May 2008 16:12:51 UTC