A user account is required in order to edit this wiki, but we've had to disable public user registrations due to spam.

To request an account, ask an autoconfirmed user on Chat (such as one of these permanent autoconfirmed members).

Difference between revisions of "HTTP Authentication"

From WHATWG Wiki
Jump to navigation Jump to search
Line 16: Line 16:

Major credits: Honza Bambas, Boris Zbarsky.
Major credits: Honza Bambas, Boris Zbarsky.
Relevant Gecko code pointers:
* http://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/nsHttpAuthCache.cpp#523
* http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsXMLHttpRequest.cpp#2789
* http://hg.mozilla.org/mozilla-central/annotate/fa5d5fccbc11/netwerk/base/public/nsIChannel.idl#l250

[[Category:Spec coordination]]
[[Category:Spec coordination]]

Latest revision as of 17:29, 18 April 2013

Some notes for https://tools.ietf.org/html/rfc2617 based on Gecko. Notes from other implementations welcome.

When performing a fetch to a given URL, optionally with a use URL credentials flag:

  • If there's an Authorization cache match and either the use URL credentials flag is unset or URL does not include credentials, include the Authorization header using the cache without 401 challenge.
  • Otherwise, if the URL includes credentials, wait for challenge, then use those credentials per the authentication scheme given (i.e. perform a basic fetch). Prompt if that fails.
  • Otherwise, there's no match and URL does not include credentials, if there's a 401 challenge, prompt the user, potentially prefilling the form based on origin and realm.

("CORS" disables some of this for cross-origin and anonymous requests.)

Cache match is based on:

  • origin
  • "directory" (e.g. /1 means /, so /2 would give a cache match)
  • realm

Major credits: Honza Bambas, Boris Zbarsky.

Relevant Gecko code pointers: