W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2013

Re: [XHR] withCredentials and HTTP authentication

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 12 Feb 2013 09:37:33 +0000
Message-ID: <CADnb78jgmm_pMCaUKgUWXrG9BpL3mpTJ59Yx94KEHgTZMXeNrA@mail.gmail.com>
To: Monsur Hossain <monsur@gmail.com>
Cc: public-webapps@w3.org
On Tue, Feb 12, 2013 at 4:24 AM, Monsur Hossain <monsur@gmail.com> wrote:
> The XHR spec defines "user credentials" as "cookies, HTTP authentication,
> and client-side SSL certificates". Its not clear to me what "HTTP
> authentication" referring to.
>
> I assumed it was referring to the HTTP authentication in RFC 2617, which
> uses the "Authorization" header. But a quick test shows that arbitrary
> Authorization headers are allowed on CORS requests.
>
> It could also mean the http://<username>@<password>:domain.com form of
> authentication (not sure where this is formally defined).
>
> What type of http authentication is the XHR spec referring to?

User credentials stored by the user agent based on a previous visit to the URL.

Authorization is only allowed through CORS if the server opts in, btw.

These details should become more clear once I turn
http://wiki.whatwg.org/wiki/Fetch into a proper specification.


-- 
http://annevankesteren.nl/
Received on Tuesday, 12 February 2013 09:38:01 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:57 GMT