On Mon, Aug 06, 2007, Neil A. Hillard wrote: > The browser knows it is talking to the origin server so will support > basic auth. If you stick an intercepting proxy in the way and then use > basic auth then how do you authenticate to the origin server? > > You have to have two headers and then tell the browser to use the proxy > (and therefore the proxy auth header). yes, but the browser doesn't "know" that it has to authenticate to an intermediate until its asked via a 407. The specification doesn't cover transparently intercepted connections in this instance. (or did it via a "proxy required" status? Henrik knows the HTTP nuances better than I.) In any case, the specification wasn't clear, UA's don't handle Proxy-Authentication required right when they don't have an explicit proxy set, and thus you can't pull off that potentially useful (and potentially security hazardous!) trick. Adrian