On Tue, Nov 20, 2018 at 3:48 PM Honza Bambas <hbam...@mozilla.com> wrote: > Our implementation reflects the reality we can see in the wild. I > believe the spec has always been wrong here, and apparently has never > been widely respected by servers because commas may be contained in the > challenge header values. The spec should consider authentication as an > exception, similarly to Set-Cookies. This is, tho, only my opinion.
Given that intermediaries are free to combine headers (other than Set-Cookie) that seems problematic. It also seems doable to define a parser that acts on the combined value, but I agree that doing so requires buy-in from others and due diligence with respect to tests and compatibility. (Also, per https://github.com/httpwg/http-core/issues/136 it looks like the HTTP WG isn't close to consensus on accepting the browser status quo, if any exists.) _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform