- From: <Paul.Todd@sybase.com>
- Date: Thu, 13 Sep 2012 08:11:58 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: <public-webapps@w3.org>
Hi, Its still unclear, given that I was creating the Authorization header as per RFC 2616 AND the server does not support CORS or advertise CORS but supports Basic authentication. I would have expected this to fail given that it would allow a distributed password search. Paul SAP Sybase iAnywhere, 10 Queen Square, Bristol, BS1 4NT T +44 117 315 3900 NOTICE: This e-mail message and all attachments transmitted with it are intended solely for the use of the addressee and may contain confidential information. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, copying or other use of this communication or its attachments is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this message and please immediately delete it from your computer. Sybase (UK) Limited, Sybase Court, Crown Lane, Maidenhead, Berkshire SL6 8QZ is a company incorporated in England & Wales under company registration number 2175260. -----<annevankesteren@gmail.com> wrote: ----- To: <Paul.Todd@sybase.com> From: Anne van Kesteren Sent by: Date: 13/09/2012 02:03PM Cc: <public-webapps@w3.org> Subject: Re: [XHR] On Tue, Sep 11, 2012 at 2:39 PM, <Paul.Todd@sybase.com> wrote: > "If the user agent supports HTTP Authentication and Authorization is not in > the list of author request headers, it should consider requests originating > from the XMLHttpRequest object to be part of the protection space that > includes the accessed URIs and send Authorization headers and handle 401 > Unauthorized requests appropriately." > > This bit is clear, however there is no mention of what should happen if the > Authorization header is present in the author request headers and there is > no HTTP Authentication (username and password) in the open call going across > domains. It is implied however that the Authorization header should be > disallowed: > > "Request username and request password are always ignored as part of a > cross-origin request; including them would allow a site to perform a > distributed password search. " Actually no. If you create your own Authorization header it's fine (assuming your server advertises support for that particular header using CORS). Maybe we should change things around again given the new header opt-in so that you can use username/password too. -- http://annevankesteren.nl/
Received on Thursday, 13 September 2012 15:12:46 UTC