W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2013

[XHR] withCredentials and HTTP authentication

From: Monsur Hossain <monsur@gmail.com>
Date: Mon, 11 Feb 2013 22:24:21 -0600
Message-ID: <CAKSyWQmNypyfJKTafsz23kqXbHhjnmCtDN=GAHbm657RVhzYVw@mail.gmail.com>
To: public-webapps@w3.org
The XHR spec defines "user credentials" as "cookies, HTTP authentication,
and client-side SSL certificates". Its not clear to me what "HTTP
authentication" referring to.

I assumed it was referring to the HTTP authentication in RFC 2617, which
uses the "Authorization" header. But a quick
test<http://client.cors-api.appspot.com/client#?client_method=GET&client_credentials=false&client_headers=Authorization%3A%20Basic%20QWxhZGRpbjpvcGVuIHNlc2FtZQ%3D%3D&server_enable=true&server_status=200&server_credentials=false&server_headers=Authorization&server_tabs=local>shows
that arbitrary Authorization headers are allowed on CORS requests.

It could also mean the http://<username>@<password>:domain.com form of
authentication (not sure where this is formally defined).

What type of http authentication is the XHR spec referring to?

Thanks,
Monsur
Received on Tuesday, 12 February 2013 04:24:51 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:57 GMT