Hello, On Tuesday, 10 September 2019 16:19:01 UTC, Honza Bambas wrote: > There is no official or standardized way to "force" authentication, > because this is really a non-standard thing you do.
Can you ellaborate on this and why is it off-standard? What shall have been written in the standards, in order to support this use-case? RFC 7235 says “A user agent that wishes to authenticate itself with an origin server -- usually, but not necessarily, after receiving a 401 (Unauthorized) -- can do so by including an Authorization header field with the request.” So if the user insists to authenticate, the server does not have to reply with 401. The way to get the supported schemas, apart from sending an invalid username with random password, is to make an OPTIONS call (on my server, which happens to be also semi-standard): curl -D- -XOPTIONS https://mail.aegee.org/dav HTTP/2 200 content-length: 0 cache-control: no-cache www-authenticate: Basic realm="AEGEE.ORG" www-authenticate: Negotiate allow: OPTIONS, GET, HEAD Now, is the problem in the core of firefox/thunderbird, in the standards, in the sevrer or in the addon? In particular, does the core really refuse to deal with the authentication once the addon inserts an Authentication header? This makes it practically impossible to switch later to Negotiate: GSS-SPNEGO after inserting a fake Authentication header, as doing this negotiation for an addon is way too much. Regards Дилян _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform