Closed Bug 656213 Opened 13 years ago Closed 9 years ago

Servers cannot tell the client what encoding to use for HTTP BASIC auth

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 41489
Milestone:
mozilla6
Tracking Flags:
Tracking Status
blocking2.0 --- -

People

(Reporter: briansmith, Unassigned)

References

Details

(Keywords: intl) 

+++ This bug was initially created as a clone of Bug #41489 +++

There needs to be some way for a server to tell the client what encoding it expects for basic auth credentials, and the client needs to respect that choice.

The solution must be implementable by server admins of common servers (IIS, Apache, nginx) using mod_headers-like approaches--without requiring code changes to HTTP servers, proxies, or web apps. The solution must be backward-compatible so that IE6/7/8/9, Safari, and other browsers can safely ignore it. The solution must work for both origin server authentication and proxy authentication.

One potential solution is http://greenbytes.de/tech/webdav/draft-reschke-basicauth-enc-latest.html. However, I am concerned that this might not meet the requirements in the previous paragraph. Separate "Authenticate-Encoding" and "Proxy-Authenticate-Encoding" header fields would clearly meet them.

We should come try to an agreement with other browser makers on a way forward, ideally we should have a prototype of this mechanism (e.g. with "X-Moz-" prefixes) in the release where bug 41489 is resolved.

The mechanism needs to be documented on MDC when we start shipping it. We should also dogfood it on *.mozilla.org.
Test cases for extension auth-params:

http://greenbytes.de/tech/tc/httpauth/#simplebasicnewparam1

and

http://greenbytes.de/tech/tc/httpauth/#simplebasicnewparam2

These seem to work in all current browsers.
Assignee: hurley → nobody
Proposed specification defining an extension parameter for servers to opt-in to UTF-8: <http://greenbytes.de/tech/webdav/draft-ietf-httpauth-basicauth-enc-02.html>
The IESG just approved a revision of the Basic Auth spec that defines the aforementioned "charset" parameter (to be published as RFC soon): http://greenbytes.de/tech/webdav/draft-ietf-httpauth-basicauth-update-07.html
Jason, should we jump on this?  (see comment 3).
Flags: needinfo?(jduell.mcbugs)
Sure--it would be great to finally fix basic auth encoding.
Flags: needinfo?(jduell.mcbugs)
Do you think you can find an assignee for this?
Assignee: nobody → jduell.mcbugs
Assignee: jduell.mcbugs → nobody
Flags: needinfo?(jduell.mcbugs)
The work looks like it's happening back in the original bug, so I'm duping this.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jduell.mcbugs)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.