W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2013

Re: [XHR] withCredentials and HTTP authentication

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 12 Feb 2013 20:00:42 +0000
Message-ID: <CADnb78gMZRmC_PSfTUPx_5157MwwvbV=dhL=zRE5JSNhKgRLkg@mail.gmail.com>
To: Monsur Hossain <monsur@gmail.com>
Cc: public-webapps@w3.org
On Tue, Feb 12, 2013 at 7:52 PM, Monsur Hossain <monsur@gmail.com> wrote:
> I think what was confusing to me is that the
> Access-Control-Allow-Credentials section of the CORS spec indicates that a
> "true" value "indicates that the actual request can include user
> credentials."
>
> In the case of cookies, both the client's .withCredentials and the server's
> Access-Control-Allow-Credentials must be "true" in order for the user-agent
> to return the response to the client.
>
> But in the case of the "Authorization" header, the server's opt-in mechanism
> is Access-Control-Allow-Headers, and has no connection to
> Access-Control-Allow-Credentials.

Hmm I see what you mean. But the user agent can provide the
Authorization header too based on a previous visit. That is the
meaning that is most often meant, but in the particular case of CORS
the semantics are subtly different. Not sure how to clarify that
exactly.


-- 
http://annevankesteren.nl/
Received on Tuesday, 12 February 2013 20:01:16 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:57 GMT