W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2012

[XHR2] undefined as user/password arguments

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 11 Apr 2012 03:57:23 -0700
Message-ID: <CA+c2ei-7v1_Obua8Ztdytspq3dB5C6dWLiM5T0ge=jbw5VntEQ@mail.gmail.com>
To: Webapps WG <public-webapps@w3.org>, Boris Zbarsky <bzbarsky@mozilla.com>
Hi All,

Apologies if this has been discussed before and I missed it, or have
forgotten about it.

Currently the IDL for the .open function looks as follows:

open(DOMString method, DOMString url, optional boolean async, optional
DOMString? user, optional DOMString? password);

This means that if anything other than null is passed as value for the
user/password arguments, then the value should be stringified per
normal WebIDL/ECMAScript rules. This includes if the value undefined
is passed, which would be converted to "undefined" as both username
and password.

We accidentally made this change a while back, but discovered that
this isn't compatible with the web [1][2]. In particular, the Dojo
toolkit contains code like:

xhr.open(method, ioArgs.url, args.sync !== true, args.user ||
undefined, args.password || undefined);

For "normal" requests this results in the username and password
"undefined" being used. This isn't a big deal since I think many
servers simply ignore the username/password if they are not required
for the resource. But it still seem non-ideal. A bigger deal however
is that for a cross-site request, the requirements in CORS causes such
a request to be denied causing [1].

It also caused sites that use mootools to break when the site was
using basic authentication [2].

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=605296
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=609865

So I suspect we need to add [TreatUndefinedAs=EmptyString] or
[TreatUndefinedAs=Null] (the effect is the same here) to both the user
and password arguments.

/ Jonas
Received on Wednesday, 11 April 2012 10:58:26 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:51 GMT