On 2018-11-20 10:31, john.bieling--- via dev-platform wrote:
@Anne van Kesteren
Solved that by checking getRequestHeader("Authorization") in case of 401 and if
that is missing, I know nsIHttpChannel did not try to authenticate.
First, I can confirm that we expect multiple authentication challenges
sent via separate response headers (WWW-Authenticate and
Proxy-Authenticate.) Internally we then separate them using \n instead
of ',' [1] because comma can be contained in a single header value
(against what the spec says). We can't correctly separate the headers
by commas, potentially even opening security holes if we do that blindly.
(We also expose the auth challenge headers this way (\n separated) to be
consumed by XHR and fetch() and exposed to DOM, where our fetch()
implementation has a bug and returns an empty string instead when \n is
contained in the header value. Not fixed at least that issue till today
because of number of spec compliance arguments instead.)
When your server sends `WWW-Authenticate: X-MobileMe-AuthToken
realm="Newcastle", Basic realm="Newcastle"` we see it as:
schema=`X-MobileMe-AuthToken`
challenge data=`realm="Newcastle", Basic realm="Newcastle"`
Second, if you want to check whether the channel HAS NOT performed the
requested authentication, just check the HTTP response code to be 401,
use [2]. Looking for the Authorization header is just a big hack.
Thanks
-hb-
[1]
https://searchfox.org/mozilla-central/rev/b03a62c3c82316e733a3b09622c1cb7e59f64cc3/netwerk/protocol/http/nsHttpHeaderArray.h#267-274
[2]
https://searchfox.org/mozilla-central/rev/b03a62c3c82316e733a3b09622c1cb7e59f64cc3/netwerk/protocol/http/nsIHttpChannel.idl#258
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform