Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1Tpo8h-0003pW-1z for pgsql-www@arkaria.postgresql.org; Mon, 31 Dec 2012 22:47:23 +0000 Received: from localhost ([127.0.0.1] helo=postgresql.org) by malur.postgresql.org with smtp (Exim 4.72) (envelope-from ) id 1Tpo8f-0004cd-Us for pgsql-www@arkaria.postgresql.org; Mon, 31 Dec 2012 22:47:22 +0000 Received: from magus.postgresql.org ([87.238.57.229]) by malur.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1Tpo8f-0004cY-Hp for pgsql-www@postgresql.org; Mon, 31 Dec 2012 22:47:21 +0000 Received: from sss.pgh.pa.us ([66.207.139.130]) by magus.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1Tpo8b-0006pb-Uk for pgsql-www@postgresql.org; Mon, 31 Dec 2012 22:47:21 +0000 Received: from sss2.sss.pgh.pa.us (tgl@localhost [127.0.0.1]) by sss.pgh.pa.us (8.14.5/8.14.5) with ESMTP id qBVMlEV3020597; Mon, 31 Dec 2012 17:47:14 -0500 (EST) From: Tom Lane To: Magnus Hagander cc: Dave Page , PostgreSQL WWW Subject: Re: New archives for testing In-reply-to: References: <16596.1356900153@sss.pgh.pa.us> Comments: In-reply-to Magnus Hagander message dated "Sun, 30 Dec 2012 22:32:42 +0100" Date: Mon, 31 Dec 2012 17:47:14 -0500 Message-ID: <20596.1356994034@sss.pgh.pa.us> X-Pg-Spam-Score: -1.9 (-) List-Archive: List-Help: List-ID: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-Mailing-List: pgsql-www Precedence: bulk Sender: pgsql-www-owner@postgresql.org Magnus Hagander writes: > On Sun, Dec 30, 2012 at 9:53 PM, Dave Page wrote: >> I don't think it was originally intended as a prompt (it's the security >> realm actually), but most browsers showed it anyway and it's been (ab)used >> that way for years. FYI, the browser I saw not displaying it was Safari on >> iOS, so most definitely not 'little used'. > No, but not showing it makes it a pretty useless browser since it's > supposed to tell the user which password to use when different > sections on a site has different passwords. > ... > So the question is how much effort we want to put into it. If we make > the 401 page itself contain the text, does that show up in safari > after authentication has failed, or does it show some custom page? At least on iOS 6, Safari doesn't seem to show any 401 page at all. When you hit the "raw" link, you get an "Authentication required" popup with just space for username and password. If you put in a wrong value, the popup re-appears. There's not much you can do except hit "Cancel". Not very helpful at all I'd say. (Now admittedly, on a phone-size screen it's not clear that there's room for much of a prompt, but still...) Having just done the experiment, though, I'd have to say that the usability of the archives is pretty darn low regardless of this. Too many very small links too close together --- there's basically no way to hit what you want accurately without zooming way in first. (And that was on an iPad; don't even want to think about a phone.) I can't see anybody really caring about either the mbox or raw links in that context. But on the third hand ... could we rig it to accept any old name and password? The mere occurrence of a challenge ought to be enough to discourage most bots. regards, tom lane -- Sent via pgsql-www mailing list (pgsql-www@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-www