[Ietf-http-auth] Updating RFC 2617 (HTTP Digest) to use UTF-8

Bjoern Hoehrmann derhoermi at gmx.net
Fri Sep 22 09:41:36 PDT 2006

* Alexey Melnikov wrote:
>Does anybody know if updating RFC 2617 to say that username/passwords 
>are UTF-8 would break any major implementation? For example, does 
>anybody know if a major HTTP client/server implementation assume ISO 8859-1?

It appears that for Basic authentication the german version of Internet
Explorer 6 running on the german version of Windows 2003 as well as the
latest english Internet Explorer 7 release candidate running on the
german version of Windows XP will use something like ISO-8859-1 for both
manual as well as XMLHttpRequest requests. Trying to use U+20AC as user
name and password they got encoded as 0x80 (Windows-1252) for manual re-
quests, and to '?' for XHR. Characters not included in Windows-1252 come
out as '?' regardless of the method used. For XHR my test cases include
documents encoded as ISO-8859-1 and UTF-8; there did not appear to be
any difference.

The latest en-us version of Firefox uses UTF-8 for XHR and the lower
byte of the character when encoded using UTF-16BE (so for U+20AC you
get 0xAC) when using manual input. For manually entered http://u:p@...
URLs Firefox uses Windows-1252 if possible, UTF-8 otherwise. When XHR
is used with such a URL, it uses UTF-8. The latest en-us version of
Opera9 always uses UTF-8, as far as I can tell based on my limited
testing. Results might well be different on with different default code
pages, language settings, and so on. Note that the illegal http://u:p@..
addressing scheme allows to use arbitrary octet sequences using %hh
escape sequences, with some browser-specific limitations.
Björn Höhrmann · mailto:bjoern at hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 

More information about the Ietf-http-auth mailing list