On Sunday, May 7, 2017 at 8:54:54 PM UTC+2, Patrick McManus wrote: > Its a good point, but the hash also has some credential info in it for the > case of ntlm cause you also don't want to mix user a and user b when you > are doing conn based auth. Hopefully that wouldn't need to surface up at > whatwg/w3c level.
So I don't know how these connection-level authentication mechanisms work in detail, but they came up in the issue as well, and might well have been the motivator for the credentials flag. If we don't want those to be used on connections that also carry requests without credentials, how do we go about that? Can these authentication mechanisms be negotiated after the connection is opened? Can the client easily refuse? Can the server assert it won't ever start such a negotiation? (Having statistics on how often these mechanisms are used would also be interesting, though I suspect we can't do much about it given intranet deployments and such.) FWIW, I suspect Fetch will need to keep some handle on how to allocate connections, just to deal with WebSocket, error handling, the upcoming token binding integration, and features like preconnect. _______________________________________________ dev-tech-network mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-network
