Some notes for https://tools.ietf.org/html/rfc2617 based on Gecko. Notes from other implementations welcome.
When performing a fetch to a given URL, optionally with a use URL credentials flag:
- If there's an Authorization cache match and either the use URL credentials flag is unset or URL does not include credentials, include the Authorization header using the cache without 401 challenge.
- Otherwise, if the URL includes credentials, wait for challenge, then use those credentials per the authentication scheme given (i.e. perform a basic fetch). Prompt if that fails.
- Otherwise, there's no match and URL does not include credentials, if there's a 401 challenge, prompt the user, potentially prefilling the form based on origin and realm.
("CORS" disables some of this for cross-origin and anonymous requests.)
Cache match is based on:
- "directory" (e.g. /1 means /, so /2 would give a cache match)
Major credits: Honza Bambas, Boris Zbarsky.
Relevant Gecko code pointers: