Why are browser HTTP auth schemes stuck in 1999?
Chromium supports Basic, Digest, NTLM, and Negotiate HTTP authentication schemes. Of those, the newest is Negotiate, which was present no later than 1999, because IE5 supported it (!!!). I can't find a comparable reference for what Firefox supports but my understanding is that it's broadly similar. (Admittedly, Negotiate may only have been documented in an RFC in 2006; still.)
All four of those schemes are rather severely flawed. Basic exposes the password in plaintext over the wire; Digest doesn't salt, among other things; NTLM is, well, NTLM; and in practice Negotiate is just Kerberos in disguise, which is great if you're already on AD but still.
15 years ago we could throw up our hands and say, "Welp, that's all we got. If we don't like it, we're going to need to define your login workflow at the application layer, like literally every major website in existence." But we don't live in that world anymore! SCRAM has been standardized for eight years. Heck, OAuth2 has its own HTTP auth scheme. There are other options.
HTTP allows servers to support multiple authentication schemes. I could certainly understand — at least in principle — if web browsers were unable to adopt a new technology because of the potential of forwards- or backwards-incompatibility, or perhaps even because of excessive complexity-induced risk (JPEG XL, again, not saying that Google made the right call, but that its argument was at least cogent). And I can also understand that web browsers are under much less pressure to implement newer auth schemes than mail readers, WebDAV clients, etc. But I can't understand why no progress has been made. Is there some underlying reason for that? Or is it merely just because of a lack of attention?
