note about WWW-A parsing potentially misleading

mnot commented 10 years ago

http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p7-auth-24.html#rfc.section.4.4:

"User agents are advised to take special care in parsing the WWW-Authenticate field value as it might contain more than one challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a comma-separated list of authentication parameters."

This is text that we copied from RFC 2616 (http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.47). However, isn't the

"...if more than one WWW-Authenticate header field is provided..."

incorrect?

What's contained in a challenge does not depend on the number of header field instances, after all.

(note that similar text appears one more time; we should also look into reducing duplication)

Reported by julian.reschke@gmx.de, migrated from https://trac.ietf.org/trac/httpbis/ticket/516

mnot commented 10 years ago

julian.reschke@gmx.de changed description from:

http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p7-auth-24.html#rfc.section.4.4:

"User agents are advised to take special care in parsing the WWW-Authenticate field value as it might contain more than one challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a comma-separated list of authentication parameters."

This is text that we copied from RFC 2616 (http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.47). However, isn't the

"...if more than one WWW-Authenticate header field is provided..."

incorrect?

What's contained in a challenge does not depend on the number of header field instances, after all.

to:

http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p7-auth-24.html#rfc.section.4.4:

"User agents are advised to take special care in parsing the WWW-Authenticate field value as it might contain more than one challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a comma-separated list of authentication parameters."

This is text that we copied from RFC 2616 (http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.47). However, isn't the

"...if more than one WWW-Authenticate header field is provided..."

incorrect?

What's contained in a challenge does not depend on the number of header field instances, after all.

(note that similar text appears one more time; we should also look into reducing duplication)

mnot commented 10 years ago

julian.reschke@gmx.de commented:

see 2455

mnot commented 10 years ago

julian.reschke@gmx.de changed milestone from unassigned to 25
julian.reschke@gmx.de changed resolution to incorporated
julian.reschke@gmx.de changed status from new to closed

mnot commented 10 years ago

julian.reschke@gmx.de changed severity from In WG Last Call to In IETF LC

httpwg / httpbis-issues

note about WWW-A parsing potentially misleading #516