W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

[XHR] Authorization header

From: Alexey Proskuryakov <ap@webkit.org>
Date: Wed, 1 Apr 2009 11:32:34 +0400
Message-Id: <455B6D2B-B2C5-4D58-9AF4-25CDA0BAB2D0@webkit.org>
To: public-webapps <public-webapps@w3.org>
Per the current XHR spec draft, the Authorization header cannot be set  
from JavaScript for security reasons.

As far as I know, no shipping browser blocks it - and when we started  
blocking it in WebKit, it caused a compatibility problem, <https://bugs.webkit.org/show_bug.cgi?id=24957 
 >.

What is the security reason to block this header?

- WBR, Alexey Proskuryakov
Received on Wednesday, 1 April 2009 07:33:14 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT