Marc Slemko wrote: > On Mon, 25 Mar 2002, Eli Marmor wrote: > > >>And a yet another note: >> >>It is not a bug that "sometime" causes problems; >>It is a bug that causes mod_auth_digest to fail ALWAYS (when there are >>parameters, of course). > > > That is defined as "sometimes". And it is only IE with which it fails, > no? > > >>So it looks important for me to commit this patch. >>Especially when there is no need to dig into the source, find the >>problem, fix it, and test it, but everything is ready and you just have >>to commit. > > > Isn't this a matter of IE incorrectly implementing the spec? > > Will making this change break browsers that do properly implement it? > should we implement this kind of thing by way of a 'browsermatch ...' so that we could live in the best of both worlds? or is this still a security issue for IE users?
> It is not obvious if or how we should attempt to cope with IE's > brokenness, so it is not something that can just be blindly > applied. Blindly ignoring the query string on a request can have > security implications as well that need to be understood. >
