W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

[XHR] Authorization header

From: Alexey Proskuryakov <ap@webkit.org>
Date: Wed, 1 Apr 2009 11:32:34 +0400
Message-Id: <455B6D2B-B2C5-4D58-9AF4-25CDA0BAB2D0@webkit.org>
To: public-webapps <public-webapps@w3.org>

Per the current XHR spec draft, the Authorization header cannot be set  
from JavaScript for security reasons.

As far as I know, no shipping browser blocks it - and when we started  
blocking it in WebKit, it caused a compatibility problem, <https://bugs.webkit.org/show_bug.cgi?id=24957 
 >.

What is the security reason to block this header?

- WBR, Alexey Proskuryakov

Received on Wednesday, 1 April 2009 07:33:14 GMT

This message: [ Message body ]
Next message: Thomas Broyer: "Re: [XHR] Authorization header"
Next in thread: Thomas Broyer: "Re: [XHR] Authorization header"
Reply: Thomas Broyer: "Re: [XHR] Authorization header"
Reply: Anne van Kesteren: "Re: [XHR] Authorization header"

Mail actions: [ respond to this message ] [ mail a new topic ]
Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
Help: [ How to use the archives ] [ Search in the archives ]

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:10 GMT