- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 12 Feb 2013 09:37:33 +0000
- To: Monsur Hossain <monsur@gmail.com>
- Cc: public-webapps@w3.org
On Tue, Feb 12, 2013 at 4:24 AM, Monsur Hossain <monsur@gmail.com> wrote: > The XHR spec defines "user credentials" as "cookies, HTTP authentication, > and client-side SSL certificates". Its not clear to me what "HTTP > authentication" referring to. > > I assumed it was referring to the HTTP authentication in RFC 2617, which > uses the "Authorization" header. But a quick test shows that arbitrary > Authorization headers are allowed on CORS requests. > > It could also mean the http://<username>@<password>:domain.com form of > authentication (not sure where this is formally defined). > > What type of http authentication is the XHR spec referring to? User credentials stored by the user agent based on a previous visit to the URL. Authorization is only allowed through CORS if the server opts in, btw. These details should become more clear once I turn http://wiki.whatwg.org/wiki/Fetch into a proper specification. -- http://annevankesteren.nl/
Received on Tuesday, 12 February 2013 09:38:01 UTC