Am 2009-09-16 23:58, schrieb Alexander Klimetschek:
Right, and this can be different from browser to browser. In my
experience, Firefox and IE are not that strict and will apply cached
credentials for the same realm on the entire domain (eg. my.app.com/),
so you shouldn't see this problem with them (but I am not sure, maybe
it is only the case in certain versions of them).
Safari and Chrome (ie. Webkit-based ones, although HTTP and Credential
handling is not part of the core Webkit code) are more strict and will
definitely apply them for a given resource and its "tree" below. They
will also only cache credentials that were entered manually, ie. any
XHR trick to pass in the credentials while avoiding the (ugly) browser
login dialog will fail there.
IE8 seems to go to latter camp. It will not load a resource from
"/a/b.js" if it previously logged into "b/c.html".
Its a little confusing when sling returns a "200 OK" message with a body
indicating error to a human instead of a 401, 403 or 404 when anonymous
access is denied globally, because that creates a parser error in my
client side script.
--
peter
