Closed
Bug 656213
Opened 14 years ago
Closed 10 years ago
Servers cannot tell the client what encoding to use for HTTP BASIC auth
Categories
(Core :: Networking: HTTP, defect)
Core
Networking: HTTP
Tracking
()
mozilla6
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | - |
People
(Reporter: briansmith, Unassigned)
References
Details
(Keywords: intl)
+++ This bug was initially created as a clone of Bug #41489 +++
There needs to be some way for a server to tell the client what encoding it expects for basic auth credentials, and the client needs to respect that choice.
The solution must be implementable by server admins of common servers (IIS, Apache, nginx) using mod_headers-like approaches--without requiring code changes to HTTP servers, proxies, or web apps. The solution must be backward-compatible so that IE6/7/8/9, Safari, and other browsers can safely ignore it. The solution must work for both origin server authentication and proxy authentication.
One potential solution is http://greenbytes.de/tech/webdav/draft-reschke-basicauth-enc-latest.html. However, I am concerned that this might not meet the requirements in the previous paragraph. Separate "Authenticate-Encoding" and "Proxy-Authenticate-Encoding" header fields would clearly meet them.
We should come try to an agreement with other browser makers on a way forward, ideally we should have a prototype of this mechanism (e.g. with "X-Moz-" prefixes) in the release where bug 41489 is resolved.
The mechanism needs to be documented on MDC when we start shipping it. We should also dogfood it on *.mozilla.org.
|
||
Comment 1•14 years ago
|
||
Test cases for extension auth-params:
http://greenbytes.de/tech/tc/httpauth/#simplebasicnewparam1
and
http://greenbytes.de/tech/tc/httpauth/#simplebasicnewparam2
These seem to work in all current browsers.
|
|
||
Comment 2•11 years ago
|
||
Proposed specification defining an extension parameter for servers to opt-in to UTF-8: <http://greenbytes.de/tech/webdav/draft-ietf-httpauth-basicauth-enc-02.html>
|
|
||
Comment 3•10 years ago
|
||
The IESG just approved a revision of the Basic Auth spec that defines the aforementioned "charset" parameter (to be published as RFC soon): http://greenbytes.de/tech/webdav/draft-ietf-httpauth-basicauth-update-07.html
|
||
Comment 4•10 years ago
|
||
Jason, should we jump on this? (see comment 3).
Flags: needinfo?(jduell.mcbugs)
|
||
Comment 5•10 years ago
|
||
Sure--it would be great to finally fix basic auth encoding.
Flags: needinfo?(jduell.mcbugs)
|
|
||
Comment 6•10 years ago
|
||
Do you think you can find an assignee for this?
Assignee: nobody → jduell.mcbugs
|
|
||
Updated•10 years ago
|
Assignee: jduell.mcbugs → nobody
Flags: needinfo?(jduell.mcbugs)
|
||
Comment 7•10 years ago
|
||
see also the patch in https://bugzilla.mozilla.org/show_bug.cgi?id=41489
|
|
||
Comment 8•10 years ago
|
||
The work looks like it's happening back in the original bug, so I'm duping this.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(jduell.mcbugs)
Resolution: --- → DUPLICATE
|
||
Updated•9 years ago
|
Keywords: dev-doc-needed
You need to log in
before you can comment on or make changes to this bug.
Description
•