[XHR] Authorization header from Alexey Proskuryakov on 2009-04-01 (public-webapps@w3.org from April to June 2009)

From: Alexey Proskuryakov <ap@webkit.org>
Date: Wed, 1 Apr 2009 11:32:34 +0400
To: public-webapps <public-webapps@w3.org>
Message-Id: <455B6D2B-B2C5-4D58-9AF4-25CDA0BAB2D0@webkit.org>

Per the current XHR spec draft, the Authorization header cannot be set  
from JavaScript for security reasons.

As far as I know, no shipping browser blocks it - and when we started  
blocking it in WebKit, it caused a compatibility problem, <https://bugs.webkit.org/show_bug.cgi?id=24957 
 >.

What is the security reason to block this header?

- WBR, Alexey Proskuryakov

Received on Wednesday, 1 April 2009 07:33:14 UTC