W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [XHR] Authorization header

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 01 Apr 2009 11:49:35 +0200
To: "Alexey Proskuryakov" <ap@webkit.org>, public-webapps <public-webapps@w3.org>
Message-ID: <op.urpb8xfl64w2qv@annevk-t60.oslo.opera.com>
On Wed, 01 Apr 2009 09:32:34 +0200, Alexey Proskuryakov <ap@webkit.org>  
wrote:
> Per the current XHR spec draft, the Authorization header cannot be set  
> from JavaScript for security reasons.
>
> As far as I know, no shipping browser blocks it - and when we started  
> blocking it in WebKit, it caused a compatibility problem,  
> <https://bugs.webkit.org/show_bug.cgi?id=24957 >.
>
> What is the security reason to block this header?

Consistency with cross-origin requests where they need to be blocked to  
prevent distributed dictionary attacks. I actually thought Opera already  
blocked this header and the next Firefox release will do so as well.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Wednesday, 1 April 2009 09:50:23 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT