Martin Atkins wrote:
This idea has promise, but is it compatible with existing browsers?
The case where the only challenge included is HTML is probably okay,
since browsers will at this point likely determine that they don't
support any of the given schemes and just display the entity body. The
only concern in this case is browser-provided default error pages for
the 401 response, which can hopefully be suppressed in much the same way
as sites suppress IE's default 404 error page by padding the response to
take it above a certain filesize.
More bothersome is this case:
HTTP/1.1 401 Unauthorized
...
WWW-Authenticate: HTML form="login"
WWW-Authenticate: Basic realm="..."
...
Is that case relevant? Today, those sites do not support Basic (or
Digest) at all, or only send the 401 for certain user agents and/or
methods. So I wouldn't expect them to start adding the non-HTMLL auth
challenge...
> ...
BR, Julian
