- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 15 Feb 2008 03:21:43 +0000 (UTC)
- To: John Panzer <jpanzer@acm.org>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On Thu, 14 Feb 2008, John Panzer wrote: > Ian Hickson wrote: > > On Thu, 14 Feb 2008, John Panzer wrote: > > > > > Right, I'm not talking about Access-Control, I'm talking about > > > general HTTP auth[nz]. I don't understand the rationale for > > > AC4CSR's policies with regard to the Authorization: header > > > > The rationale is really as simple as this: browser vendors don't want > > to enable a distributed user credentials search. > > Which could be accomplished by banning Authorization: Basic and > Authorization: Digest only. Unless there's some other scheme in use that's also vulnerable. It also wouldn't help in general with XMLHttpRequest, since that blocks the Authorization: header because it can get set by the user agent due to the user being authenticated with that site. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 15 February 2008 03:21:57 UTC