Matt Menke

Separating it out from an error code would also allow redirecting browsers that don't support to, e.g., an alternative login flow or whatnot, rather than having to sniff browser version...

Alternatively, could just consider the session refreshed until it's refresh time again, or the server tells us otherwise, but since I don't think we tell the server in normal requests...

Redirects provide error handling, without having to send a full error page to display to the user to browsers that support the feature. With a 401, if you want an...

And just to make sure we're on the same page: First response, say for https://foo/cookie-request would get the challenge header and a redirect to https://foo/cookie-request-not-supported. If the browser can handle...

So it's been 3 months since I made the comment folks were responding to, and haven't thought about this stuff since, so I've completely lost all context. I still think...

Without reviewing the actual verbiage, I agree with CarloCannas that a terminal comma should result in adding an empty string. Specs allow for: Foo: Bar Foo: to be replaced with:...

What Chrome actually does if it sees multiple differing Location headers is hard-fail the request. We do the same for Content-Length and Content-Disposition. If we have multiple identical headers we...

That's a really good point. Seems like we should be consistent, even if it's only potentially a security issue for HTTP/1.x.

Relatedly, I don't think there's any spec that covers what to do on bad redirect location headers. Browsers could ignore the header (Which for Chrome, at least, would result in...

I'm not sure the fetch standard has a concept of a unique, unshared network partition. I'm not really sure what the next step is here, unfortunately. I know the network...