W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2011

Re: XHR using user and password parameters

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Mon, 11 Jul 2011 15:51:44 +0200
To: "Hallvord R. M. Steen" <hallvord@opera.com>
Cc: "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <isvl175743kgl2ps0601kkpvvje46cljdg@hive.bjoern.hoehrmann.de>
* Hallvord R. M. Steen wrote:
>Many implementations don't send the Authorize: header even if the script  
>supplies user name and password, unless they have seen a 401 response.  
>This seems a bit counter-intuitive to authors - if they supply a user name  
>and a password, why isn't the browser actually sending it to the server? I  
>think it would be simpler to author for if we sent Authorize: whenever a  
>user name and password is supplied. Are there any particular reason we  
>don't? Would it be seen as violating the HTTP standard's text about 401  
>and Authorize: if we did spec something like that?

You need to know the authentication method in order to form the header,
you don't know whether it's Basic or Digest or some other method, and if
you did, you might still need information from the server such as the
realm. So, you need to make a failing request first, unless you limit
yourself to Basic authentication.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Monday, 11 July 2011 13:51:57 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:46 GMT