W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2012

Re: [XHR]

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 13 Sep 2012 15:02:58 +0200
Message-ID: <CADnb78hco3hpUGVPyXuNdQ_0NfvsLkTG5dQr-aJxC_XbAb4Xxg@mail.gmail.com>
To: Paul.Todd@sybase.com
Cc: public-webapps@w3.org
On Tue, Sep 11, 2012 at 2:39 PM,  <Paul.Todd@sybase.com> wrote:
> "If the user agent supports HTTP Authentication and Authorization is not in
> the list of author request headers, it should consider requests originating
> from the XMLHttpRequest object to be part of the protection space that
> includes the accessed URIs and send Authorization headers and handle 401
> Unauthorized requests appropriately."
>
> This bit is clear, however there is no mention of what should happen if the
> Authorization header is present in the author request headers and there is
> no HTTP Authentication (username and password) in the open call going across
> domains. It is implied however that the Authorization header should be
> disallowed:
>
> "Request username and request password are always ignored as part of a
> cross-origin request; including them would allow a site to perform a
> distributed password search. "

Actually no. If you create your own Authorization header it's fine
(assuming your server advertises support for that particular header
using CORS). Maybe we should change things around again given the new
header opt-in so that you can use username/password too.


-- 
http://annevankesteren.nl/
Received on Thursday, 13 September 2012 13:03:36 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:54 GMT