Re: [XHR] Authorization header

On Wed, Apr 1, 2009 at 9:32 AM, Alexey Proskuryakov wrote:
> Per the current XHR spec draft, the Authorization header cannot be set from
> JavaScript for security reasons.
>
> As far as I know, no shipping browser blocks it - and when we started
> blocking it in WebKit, it caused a compatibility problem,
> <https://bugs.webkit.org/show_bug.cgi?id=24957>.
>
> What is the security reason to block this header?

Yep, we're using a custom HTTP auth scheme for a corporate
application: the first request validates the credentials and the
response contains an auth ticket that is passed in subsequent requests
in the Authorization header (similar to GoogleLogin I guess).
It has the (huge) advantage over browser-handled schemes (Basic and
Digest) that the browser doesn't pop a dialog so we can handle 401s in
the application (e.g. make sure the user isn't trying to authenticate
as another user, which could case weird behaviors: data loaded
previously authenticated as user A and subsequent requests made as
user B).
Doing the same without Authorization would defeat HTTP auth (the
server could still send a 401 with a custom auth scheme, but we would
have to send the credentials in a custom X-Authorization header –makes
me think a bit about X-HTTP-Method-Override–)

-- 
Thomas Broyer

Received on Wednesday, 1 April 2009 07:55:11 UTC