A user account is required in order to edit this wiki, but we've had to disable public user registrations due to spam.

To request an account, ask an autoconfirmed user on IRC (such as one of these permanent autoconfirmed members) or send an e-mail to admin@wiki.whatwg.org with your desired username and an explanation of the first edit you'd like to make. (Do not use this e-mail address for any other inquiries, as they will be ignored or politely declined.)

HTTP Authentication

From WHATWG Wiki
Jump to: navigation, search

Some notes for https://tools.ietf.org/html/rfc2617 based on Gecko. Notes from other implementations welcome.

When performing a fetch to a given URL, optionally with a use URL credentials flag:

  • If there's an Authorization cache match and either the use URL credentials flag is unset or URL does not include credentials, include the Authorization header using the cache without 401 challenge.
  • Otherwise, if the URL includes credentials, wait for challenge, then use those credentials per the authentication scheme given (i.e. perform a basic fetch). Prompt if that fails.
  • Otherwise, there's no match and URL does not include credentials, if there's a 401 challenge, prompt the user, potentially prefilling the form based on origin and realm.

("CORS" disables some of this for cross-origin and anonymous requests.)

Cache match is based on:

  • origin
  • "directory" (e.g. /1 means /, so /2 would give a cache match)
  • realm

Major credits: Honza Bambas, Boris Zbarsky.

Relevant Gecko code pointers: