W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2013

Re: [XHR] withCredentials and HTTP authentication

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 12 Feb 2013 20:00:42 +0000
Message-ID: <CADnb78gMZRmC_PSfTUPx_5157MwwvbV=dhL=zRE5JSNhKgRLkg@mail.gmail.com>
To: Monsur Hossain <monsur@gmail.com>
Cc: public-webapps@w3.org
On Tue, Feb 12, 2013 at 7:52 PM, Monsur Hossain <monsur@gmail.com> wrote:
> I think what was confusing to me is that the
> Access-Control-Allow-Credentials section of the CORS spec indicates that a
> "true" value "indicates that the actual request can include user
> credentials."
> In the case of cookies, both the client's .withCredentials and the server's
> Access-Control-Allow-Credentials must be "true" in order for the user-agent
> to return the response to the client.
> But in the case of the "Authorization" header, the server's opt-in mechanism
> is Access-Control-Allow-Headers, and has no connection to
> Access-Control-Allow-Credentials.

Hmm I see what you mean. But the user agent can provide the
Authorization header too based on a previous visit. That is the
meaning that is most often meant, but in the particular case of CORS
the semantics are subtly different. Not sure how to clarify that

Received on Tuesday, 12 February 2013 20:01:16 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 February 2015 14:37:03 UTC