W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2013

Re: [XHR] withCredentials and HTTP authentication

From: Monsur Hossain <monsur@gmail.com>
Date: Tue, 12 Feb 2013 13:30:44 -0600
Message-ID: <CAKSyWQn+PJo4GL=g7s3UAEz1vF3TofY4GtsKMwzPAkF_Wh5QnQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: public-webapps@w3.org
On Tue, Feb 12, 2013 at 3:37 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Feb 12, 2013 at 4:24 AM, Monsur Hossain <monsur@gmail.com> wrote:
> > The XHR spec defines "user credentials" as "cookies, HTTP authentication,
> > and client-side SSL certificates". Its not clear to me what "HTTP
> > authentication" referring to.
> >
> > I assumed it was referring to the HTTP authentication in RFC 2617, which
> > uses the "Authorization" header. But a quick test shows that arbitrary
> > Authorization headers are allowed on CORS requests.
> >
> > It could also mean the http://<username>@<password>:domain.com form of
> > authentication (not sure where this is formally defined).
> >
> > What type of http authentication is the XHR spec referring to?
>
> User credentials stored by the user agent based on a previous visit to the
> URL.
>

Ok thanks. I think it would be useful if the "HTTP authentication" in the
above sentence snippet were either dropped or clarified (The CORS spec also
uses the same sentence).

Authorization is only allowed through CORS if the server opts in, btw.
>
> These details should become more clear once I turn
> http://wiki.whatwg.org/wiki/Fetch into a proper specification.
>
>
> --
> http://annevankesteren.nl/
>
Received on Tuesday, 12 February 2013 19:31:14 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:57 GMT