Am 2019-01-03 um 22:10 schrieb Karl Wright:
Well, I don't actually see anything wrong with the idea of sending the auth header right up front and not requiring a whole extra back-and-forth to authorize. NTLM needs that but basic auth doesn't in theory. What is wrong with what they are doing? Do you have a spec I can present to them?
I state that no auth mech requires that because the first request with Expect: 100-continue is so small that is shall work.
Did you actually try that with NTLM? But it violates RFC 7235 anyway. RFC 7235, chapter 2.1 says
A user agent that wishes to authenticate itself with an origin server -- usually, but not necessarily, after receiving a 401 (Unauthorized) -- can do so by including an Authorization header field with the request.
So, I guess it is fine doing so, but not by default. You aren't showing your ID to people unless you have been asked for, right? Michael --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For additional commands, e-mail: dev-h...@hc.apache.org