W3C home > Mailing lists > Public > public-webapps-bugzilla@w3.org > November 2012

[Bug 15418] sort out HTTP auth

From: <bugzilla@jessica.w3.org>
Date: Thu, 15 Nov 2012 13:57:16 +0000
To: public-webapps-bugzilla@w3.org
Message-ID: <bug-15418-2532-H8pealljyw@http.www.w3.org/Bugs/Public/>

--- Comment #4 from Hallvord R. M. Steen <hallvord@opera.com> ---
Copying over my opinions from the duplicate bug :-)

IMO we should clarify the following:

1) Add a note (maybe just informative?) saying user name / password from open()
method will only be sent to a site if it first uses a 401 response to indicate
that authentication is required.

2) Figure out what should happen if a script calls open() with user
name/password arguments, then sets an Authorize header with setRequestHeader().
Which wins? Will it depend on whether the site says 401 or not?

(IMO: setRequestHeader() should win if this is compatible with implementations,
simplifies things. Whether or not there is a 401 response should make no
difference. Hope that's sufficiently aligned with implementations..)

3) I assume that if setRequestHeader() adds an Authorize header, it's sent to
the server whether or not a 401 request has been returned. Perhaps this should
also be noted.

You are receiving this mail because:
You are the QA Contact for the bug.
Received on Thursday, 15 November 2012 13:57:18 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:04:27 UTC