On Tue, Aug 16, 2011 at 10:48 AM, Robert Newson <rnew...@apache.org> wrote: > a 401 response MUST include a WWW-Authenticate header, this causes an > unstylable modal dialog box on all browsers (the HTML you want to send > will not matter). > > This is why we cannot do as you suggest.
I'm new to the list and somewhat new to this discussion so I may be off in the weeds here but if I can recap: You're arguing that CouchDB should explicitly do something non-standard based on presumptions about the nature and capabilities of a specific type of client. Not only would CouchDB be making the presumption that it's a "browser" of current capability but also assuming that the request isn't being made via XMLHttpRequest such that the client code might process the 401 in its own fashion/with its own UI. I'd suggest that neither of these assumptions seem to be in keeping with "best practices" in terms of allowing the web/browser landscape to evolve in a positive direction. Developers should be able to count on a standards-compliant server. Browsers are a known weak spot in the web and we've been working around their shortcomings for a decade. I think most client developers assume that will continue to be true for quite some time. Making the server less compliant only makes it worse. Again, I'm new here so I'm very open to being educated on the rest of the issues. But, modal dialog pain or not, I'd still argue for a 401 if the server's sense of reality is the client is "Unauthorized". ss
