[nneonneo]

The protocol does provide for fallback: if the client doesn’t understand the WWW-Authenticate: WebSession header, it can just choose to ignore it and send a request without Authorization, at which point the server can fall back to a traditional session mechanism.

[paradite]

It's just an HTTP header, I'm sure frontend devs will be polyfilling the implementation before the browsers, if this were to be the standard.