The problem is, Zope challenges you when you log into /manage. The browser pops up the auth box. You log in, and your browser successfully retrieves the frameset. Since the left frame *requires* authentication, it challenges the browser which send the credentials. The right frame does not require authentication, and in fact, will *not* challenge the browser. Zope assumes that the browser will automatically send the previously established credentials for the right frame, as all browsers do except the two you mention.
So, the question is, does the spec define this behavior? Are browsers required to send authentication information previously established for a given realm even when *not* challenged by the server?
The relevant RFC's are: HTTP/1.1: http://www.ietf.org/rfc/rfc2616.txt HTTP Authentication: Basic and Digest Access Authentication: http://www.ietf.org/rfc/rfc2617.txt RFC-2617 says in section 2 "Basic Authentication Scheme": A client MAY preemptively send the corresponding Authorization header with requests for resources in that space without receipt of another challenge from the server. It says MAY, not MUST, not even SHOULD. I could not find any other part of the standard that suggests otherwise. So if I understand it correctly, Zope is relying on browser behaviour that is not required by the standard. That would mean the problem is caused by Zope, not by some browsers. Regards, Rene Pijlman