- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 26 Nov 2008 11:56:46 +0100
Martin Atkins wrote: > This idea has promise, but is it compatible with existing browsers? > > The case where the only challenge included is HTML is probably okay, > since browsers will at this point likely determine that they don't > support any of the given schemes and just display the entity body. The > only concern in this case is browser-provided default error pages for > the 401 response, which can hopefully be suppressed in much the same way > as sites suppress IE's default 404 error page by padding the response to > take it above a certain filesize. > > More bothersome is this case: > HTTP/1.1 401 Unauthorized > ... > WWW-Authenticate: HTML form="login" > WWW-Authenticate: Basic realm="..." > ... Is that case relevant? Today, those sites do not support Basic (or Digest) at all, or only send the 401 for certain user agents and/or methods. So I wouldn't expect them to start adding the non-HTMLL auth challenge... > ... BR, Julian
Received on Wednesday, 26 November 2008 02:56:46 UTC