A user account is required in order to edit this wiki, but we've had to disable public user registrations due to spam.

To request an account, ask an autoconfirmed user on IRC (such as one of these permanent autoconfirmed members).

Difference between revisions of "HTTP Authentication"

From WHATWG Wiki
Jump to: navigation, search
(Created page with "Some notes for https://tools.ietf.org/html/rfc2617 based on Gecko. Notes from other implementations welcome. When performing a fetch to a given URL: * If there's an Authoriz...")
 
m
Line 15: Line 15:
 
* realm
 
* realm
  
Major credits: mayhemer, bz.
+
Major credits: Honza Bambas, Boris Zbarsky.
  
 
[[Category:Spec coordination]]
 
[[Category:Spec coordination]]

Revision as of 16:56, 18 April 2013

Some notes for https://tools.ietf.org/html/rfc2617 based on Gecko. Notes from other implementations welcome.

When performing a fetch to a given URL:

  • If there's an Authorization cache match, include the Authorization header using the cache without 401 challenge.
  • Otherwise, if the URL includes credentials, wait for challenge, then use those credentials per the authentication scheme given (i.e. perform a basic fetch). Prompt if that fails.
  • Otherwise, there's no match and URL does not include credentials, if there's a 401 challenge, prompt the user, potentially prefilling the form based on origin and realm.

("CORS" disables some of this for cross-origin and anonymous requests.)

Cache match is based on:

  • origin
  • "directory" (e.g. /1 means /, so /2 would give a cache match)
  • realm

Major credits: Honza Bambas, Boris Zbarsky.