On Thu, 17 Jul 2014, Michael Osipov wrote:

>> I'm fully convinved you will find servers out there returning headers like
>> that.
>
> Maybe true but that is not covered in libcurl also. You cannot scope the
> auth.

Right, but that's a separate limitation. It has been worked on in the past but
it was never completed.

If the server offers two separate realms for the same path, surely it would
then also possibly accept two different credentials for that path so the lack
of scoping wouldn't matter in that particular case!

>> Yes, because you're asking for it!
>
> Then I would at least require the docs to say that preempive is is performed
> by default. Users should be aware that they could disclose information.

Yes it should! But you're expressing this funnily. If if _does_ probe first,
it will disclose the exact same information if the server asks for basic auth
...

> After that at least, I have found a bug in curl which ends in an endless
> redirect. I will report shortly.

Ouch!

>> If there's a missing option it would then rather be one that allows you to
>> say "I only want to use {basic,digest,ntlm,...} but I still want to probe
>> first" - which libcurl can do but that ability isn't exposed to the command
>> line tool afair.
>
> How would that go in libcurl, I mean not preemptive?

Add the 'CURLAUTH_ONLY' bit. Like when asking for only basic with a probe:

  CURLAUTH_BASIC | CURLAUTH_ONLY

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html