Oops!  Justin Rudd brought the following bugs to my attention:

1. When using Opera, the cnonce value is a base-64 encoded value which may contain the ‘=’ character. The original parsing code did not correctly handle this situation.

2. Mozilla uses the entire URI (including the query string) for the uri field in the authorization header, whereas Internet Explorer does not. The original parsing code would not correctly handle the ‘=’ characters in the header.

Both are fixed now (actually the same problem in the code).  You know, it’s funny; I had just read Brad’s post about people only testing their code on IE; I guess I fell right into that one!