- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 01 Apr 2009 11:49:35 +0200
- To: "Alexey Proskuryakov" <ap@webkit.org>, public-webapps <public-webapps@w3.org>
On Wed, 01 Apr 2009 09:32:34 +0200, Alexey Proskuryakov <ap@webkit.org> wrote: > Per the current XHR spec draft, the Authorization header cannot be set > from JavaScript for security reasons. > > As far as I know, no shipping browser blocks it - and when we started > blocking it in WebKit, it caused a compatibility problem, > <https://bugs.webkit.org/show_bug.cgi?id=24957 >. > > What is the security reason to block this header? Consistency with cross-origin requests where they need to be blocked to prevent distributed dictionary attacks. I actually thought Opera already blocked this header and the next Firefox release will do so as well. -- Anne van Kesteren http://annevankesteren.nl/
Received on Wednesday, 1 April 2009 09:50:23 UTC