The WWW-Authenticate header was not returned on an unauthenticated
propfind, but thunderbird relies on that.

I believe it's basically because in Sabre\DAVACL\Plugin::beforeMethod,
nodeExists is called, which ultimately attempts to list calendars in the
backend. This cannot work without some form of proxy authorization.

This likely broke in 28bbce1c30abada11d0e1d49094c120ff1e3084c of the
sabre dav repo (where this unauthenticated access was introduced and
enabled by default).