- From: Charles McCathieNevile <chaals@opera.com>
- Date: Tue, 18 Apr 2006 21:04:15 +0200
- To: "Charles McCathieNevile" <chaals@opera.com>, "Web API public" <public-webapi@w3.org>
On Tue, 04 Apr 2006 14:02:23 +0200, Charles McCathieNevile
<chaals@opera.com> wrote:
> At the face to face we discussed the question of whether open() should
> be allowed/obliged/forbidden/... to use the authentication information
> that had been provided to access a page. In summary, I think the answer
> is "Yes, subject to security restrictions that may be imposed by a
> browser".
An additional possibility, of course, is that the browser seperately ask
the user to approve, or re-authenticate for, the request.
I guess a browser may send the authentication information without making
it available to the script (e.g. in the case of some useful, trusted XSS),
although it is always available to the server, of course.
cheers
Chaals
--
Charles McCathieNevile chaals@opera.com
hablo español - je parle français - jeg lærer norsk
Peek into the kitchen: http://snapshot.opera.com/
Received on Tuesday, 18 April 2006 19:04:28 UTC