- From: Thomas Broyer <t.broyer@gmail.com>
- Date: Wed, 1 Apr 2009 09:54:32 +0200
- To: public-webapps@w3.org
On Wed, Apr 1, 2009 at 9:32 AM, Alexey Proskuryakov wrote: > Per the current XHR spec draft, the Authorization header cannot be set from > JavaScript for security reasons. > > As far as I know, no shipping browser blocks it - and when we started > blocking it in WebKit, it caused a compatibility problem, > <https://bugs.webkit.org/show_bug.cgi?id=24957>. > > What is the security reason to block this header? Yep, we're using a custom HTTP auth scheme for a corporate application: the first request validates the credentials and the response contains an auth ticket that is passed in subsequent requests in the Authorization header (similar to GoogleLogin I guess). It has the (huge) advantage over browser-handled schemes (Basic and Digest) that the browser doesn't pop a dialog so we can handle 401s in the application (e.g. make sure the user isn't trying to authenticate as another user, which could case weird behaviors: data loaded previously authenticated as user A and subsequent requests made as user B). Doing the same without Authorization would defeat HTTP auth (the server could still send a 401 with a custom auth scheme, but we would have to send the credentials in a custom X-Authorization header –makes me think a bit about X-HTTP-Method-Override–) -- Thomas Broyer
Received on Wednesday, 1 April 2009 07:55:11 UTC