This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
We need to be clearer about the persistence of this. E.g. tie it to some kind of session concept. And maybe document risks and learned lessons at some point.
I guess saying the user agent can cache it for this URL is good enough. Session concept seems to be something user agent specific that has not made its way into specifications yet. (See e.g. HSTS for something else that just ties it to the user agent.)
http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-26#section-2.2 seems clear enough...
https://github.com/whatwg/fetch/commit/bffaa17cdad4f7924548233d24ff14b0ae793bbb