W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [XHR] Authorization header

From: Alexey Proskuryakov <ap@webkit.org>
Date: Wed, 1 Apr 2009 14:05:08 +0400
Cc: public-webapps <public-webapps@w3.org>
Message-Id: <0E3A21FD-8B48-4D9D-ABD4-B85FD2100048@webkit.org>
To: Anne van Kesteren <annevk@opera.com>

On 01.04.2009, at 13:49, Anne van Kesteren wrote:

> Consistency with cross-origin requests where they need to be blocked  
> to prevent distributed dictionary attacks. I actually thought Opera  
> already blocked this header and the next Firefox release will do so  
> as well.

According to <http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsXMLHttpRequest.cpp#2903 
 > and my testing, Firefox doesn't block it.

As there seems to be no danger in allowing this header for same origin  
requests, I'd suggest removing it from the list of forbidden headers.  
As mentioned in this thread, there are valid reasons to control it  

- WBR, Alexey Proskuryakov
Received on Wednesday, 1 April 2009 10:05:44 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:53 UTC