- From: Hallvord R. M. Steen <hallvord@opera.com>
- Date: Mon, 11 Jul 2011 22:38:16 +0900
- To: "public-webapps@w3.org" <public-webapps@w3.org>
Hi, the current spec seems a bit hand-wavey on how headers should be sent when user name and password parameters are given in the open call. It just says "send Authorization headers and handle 401 Unauthorized requests appropriately." Many implementations don't send the Authorize: header even if the script supplies user name and password, unless they have seen a 401 response. This seems a bit counter-intuitive to authors - if they supply a user name and a password, why isn't the browser actually sending it to the server? I think it would be simpler to author for if we sent Authorize: whenever a user name and password is supplied. Are there any particular reason we don't? Would it be seen as violating the HTTP standard's text about 401 and Authorize: if we did spec something like that? -- Hallvord R. M. Steen, Core Tester, Opera Software http://www.opera.com http://my.opera.com/hallvors/
Received on Monday, 11 July 2011 13:38:30 UTC