Thomas Broyer wrote:
I don't really mind, as long as the server is able to say "I give you
this thing to you anonymous user, but you can also authenticate (e.g.
to be proposed more features)". This is the exact use-case many web
site (including most if not all e-commerce web sites) are facing, and
it'd be cool that it could be dealt with at the HTTP level.
Yes, I agree that this is a valid use case. I think "Vary:
Authentication" is sufficient for a client to detect that authenticating
will indeed have an effect.
What else do we need?
...
The interesting question is whether we can retroactively specify it for 200
responses without breaking existing servers.
...and clients (and intermediaries, but you might have included them
in "servers")
I was thinking "sites" (when I said "servers"), which would include all
parties involved.
Indeed.
BR, Julian
