Re: [whatwg/fetch] CORS: why is Authorization request header forcing preflight? (#770)

> It's a general question

I ask because HTTP authorization schemes are meant to be registered - http://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml - and the question is to determine which of the methods in that registry apply here.

> And, of course, it also theoretically could be used for enumeration. But practically it's a non-issue given strong cryptography and a limited life time.

I don't think that's a fair statement. The UA doesn't know how the server will interpret it - that is, there's no way to know which registered (as they hopefully are) method the server will interpret the credential challenge as. So the enumeration risk is the browser granting access to a 3P website without the 1P's consent - hence, the preflight.

That said, there are other headers that are just as applicable, and my (very limited) understanding of OAuth2 is that it hasn't pursued an Authorization based approach. However, that hopefully explains (some of) the Web Platform risk of allowing 3P to send 1P arbitrary "Authorization" headers and why they're explicitly called out as 'credentials' for the same reason. This also captures why URLs embedded with credentials are also restricted across origin boundaries.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/770#issuecomment-399201808

Received on Thursday, 21 June 2018 18:35:16 UTC