W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [XHR] Authorization header

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 01 Apr 2009 11:49:35 +0200
To: "Alexey Proskuryakov" <ap@webkit.org>, public-webapps <public-webapps@w3.org>
Message-ID: <op.urpb8xfl64w2qv@annevk-t60.oslo.opera.com>
On Wed, 01 Apr 2009 09:32:34 +0200, Alexey Proskuryakov <ap@webkit.org>  
> Per the current XHR spec draft, the Authorization header cannot be set  
> from JavaScript for security reasons.
> As far as I know, no shipping browser blocks it - and when we started  
> blocking it in WebKit, it caused a compatibility problem,  
> <https://bugs.webkit.org/show_bug.cgi?id=24957 >.
> What is the security reason to block this header?

Consistency with cross-origin requests where they need to be blocked to  
prevent distributed dictionary attacks. I actually thought Opera already  
blocked this header and the next Firefox release will do so as well.

Anne van Kesteren
Received on Wednesday, 1 April 2009 09:50:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:53 UTC