On Thu, Sep 17, 2009 at 1:02 AM, Ian Boston <i...@tfd.co.uk> wrote: > On 17 Sep 2009, at 07:58, Alexander Klimetschek wrote: >> ...Firefox and IE are not that strict and will apply cached >> credentials for the same realm on the entire domain (eg. my.app.com/),...
>> ...Safari and Chrome (ie. Webkit-based ones, although HTTP and Credential >> handling is not part of the core Webkit code) are more strict and will >> definitely apply them for a given resource and its "tree" below.... > ...In some browsers Ajax calls dont behave in the same way as the main > browser. > I think some of my co-workers have seen this with IE8, so its probably > safest to ensure that login happens at /... So does that mean that forcing authentication to happen on / using the "ugly" built-in browser credentials dialog works on all current browsers? For user-initiated as well as XHR requests? If yes, I'd suggest documenting this as a simple way of managing authentication for Sling, without requiring any extensions. -Bertrand