ietf
[Top] [All Lists]

ignoring unknown parameters, Re: [http-auth] Last Call: <draft-ietf-httpauth-basicauth-update-05.txt> (The 'Basic' HTTP Authentication Scheme) to Proposed Standard

2015-02-10 11:39:08
On 2015-02-06 07:43, Julian Reschke wrote:
...
There should be an example for "no other authentication parameters are
defined -- unknown parameters MUST be ignored by recipients", otherwise
such extension points are too easily missed by implementers.

<http://greenbytes.de/tech/tc/httpauth/#simplebasicnewparam2> shows that
UAs seem to get at least this correct. I'll think about it.

OK. In my tests I don't see anybody getting *that* wrong, and the new text already is much clearer than RFC 2617 ever was.

Thus I don't think we need an example here. Also note that the real challenge (pun intended) is to parse multiple challenges properly; this is something many UAs *do* get wrong despite the prose in both RFC 2617 and RFC 7235.

Best regards, Julian



<Prev in Thread] Current Thread [Next in Thread>