The draft spec currently says:
----------------- If authentication fails, user agents should prompt the users for credentials. ----------------- This doesn't say what happens if user-provided credentials are also incorrect, but I would read this text as a requirement to ask again. However, Firefox and IE only ask the user once, and handle the request as success with response status 401 if that fails. Would it make sense to describe Firefox/IE behavior in the spec in this case? WebKit bug: <http://bugs.webkit.org/show_bug.cgi?id=13075>. - WBR, Alexey Proskuryakov
