W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

Re: ACTION-52 - open() and authentication

From: Charles McCathieNevile <chaals@opera.com>
Date: Tue, 18 Apr 2006 21:04:15 +0200
To: "Charles McCathieNevile" <chaals@opera.com>, "Web API public" <public-webapi@w3.org>
Message-ID: <op.s77wlde3wxe0ny@216-245-223.0506.adsl.tele2.no>

On Tue, 04 Apr 2006 14:02:23 +0200, Charles McCathieNevile  
<chaals@opera.com> wrote:

> At the face to face we discussed the question of whether open() should  
> be allowed/obliged/forbidden/... to use the authentication information  
> that had been provided to access a page. In summary, I think the answer  
> is "Yes, subject to security restrictions that may be imposed by a  
> browser".

An additional possibility, of course, is that the browser seperately ask  
the user to approve, or re-authenticate for, the request.

I guess a browser may send the authentication information without making  
it available to the script (e.g. in the case of some useful, trusted XSS),  
although it is always available to the server, of course.

cheers

Chaals

-- 
Charles McCathieNevile                     chaals@opera.com
   hablo español  -  je parle français  -  jeg lærer norsk
      Peek into the kitchen: http://snapshot.opera.com/
Received on Tuesday, 18 April 2006 19:04:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT