A user account is required in order to edit this wiki, but we've had to disable public user registrations due to spam.

To request an account, ask an autoconfirmed user on Chat (such as one of these permanent autoconfirmed members).

HTTP Authentication

From WHATWG Wiki
Revision as of 17:02, 18 April 2013 by Annevk (talk | contribs)
Jump to navigation Jump to search

Some notes for https://tools.ietf.org/html/rfc2617 based on Gecko. Notes from other implementations welcome.

When performing a fetch to a given URL, optionally with a use URL credentials flag:

  • If there's an Authorization cache match and either the use URL credentials flag is unset or URL does not include credentials, include the Authorization header using the cache without 401 challenge.
  • Otherwise, if the URL includes credentials, wait for challenge, then use those credentials per the authentication scheme given (i.e. perform a basic fetch). Prompt if that fails.
  • Otherwise, there's no match and URL does not include credentials, if there's a 401 challenge, prompt the user, potentially prefilling the form based on origin and realm.

("CORS" disables some of this for cross-origin and anonymous requests.)

Cache match is based on:

  • origin
  • "directory" (e.g. /1 means /, so /2 would give a cache match)
  • realm

Major credits: Honza Bambas, Boris Zbarsky.