W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: Re: Re: Fetch: HTTP authentication and CORS

From: Hallvord Reiar Michaelsen Steen <hallvord@opera.com>
Date: Mon, 06 May 2013 22:39:35 +0200
To: "Jonas Sicking" <jonas@sicking.cc>
Cc: "WebAppSec WG" <public-webappsec@w3.org>, "WebApps WG" <public-webapps@w3.org>, "Anne van Kesteren" <annevk@annevk.nl>
Message-ID: <f7e27af60efdc63bcb89b65c8d7f8587@opera.com>
> >> Here I don't agree anymore. If I want to retrieve a HTTP auth-protected resource
> >> with XHR from a CORS-enabled server, the natural thing to do seems to try to pass
> >> in the user name and password in the XHR open() call. If the script author supplied
> >> user/pass and the server says 401 on a request without Authorization: surely the
> >> natural next step is to re-try with Authorization:?
> > 
> > If the caller to the XHR.open() call provided a username and password,
> > then shouldn't the implementation send that information in the *first*
> > request rather than waiting for a 401?

> I'd like to do that, but Anne thinks it violates the HTTP protocol

Replying to self, this would break the authentication method negotiation that HTTP allows (i.e. selection of basic, digest, and more proprietary stuff like NTLM). Hence we should wait for a 401 challenge. 

(Could we however fix this in CORS so that the WWW-Authenticate header could be included in a preflight response where applicable?)

Hallvord R. M. Steen
Core tester, Opera Software
Received on Monday, 6 May 2013 20:39:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:33 UTC