W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [XHR] Authorization header

From: Thomas Broyer <t.broyer@gmail.com>
Date: Wed, 1 Apr 2009 09:54:32 +0200
Message-ID: <a9699fd20904010054q78df3194r9f86264f910bcd0a@mail.gmail.com>
To: public-webapps@w3.org
On Wed, Apr 1, 2009 at 9:32 AM, Alexey Proskuryakov wrote:
> Per the current XHR spec draft, the Authorization header cannot be set from
> JavaScript for security reasons.
>
> As far as I know, no shipping browser blocks it - and when we started
> blocking it in WebKit, it caused a compatibility problem,
> <https://bugs.webkit.org/show_bug.cgi?id=24957>.
>
> What is the security reason to block this header?

Yep, we're using a custom HTTP auth scheme for a corporate
application: the first request validates the credentials and the
response contains an auth ticket that is passed in subsequent requests
in the Authorization header (similar to GoogleLogin I guess).
It has the (huge) advantage over browser-handled schemes (Basic and
Digest) that the browser doesn't pop a dialog so we can handle 401s in
the application (e.g. make sure the user isn't trying to authenticate
as another user, which could case weird behaviors: data loaded
previously authenticated as user A and subsequent requests made as
user B).
Doing the same without Authorization would defeat HTTP auth (the
server could still send a 401 with a custom auth scheme, but we would
have to send the credentials in a custom X-Authorization header –makes
me think a bit about X-HTTP-Method-Override–)

-- 
Thomas Broyer
Received on Wednesday, 1 April 2009 07:55:11 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT