- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 16 Feb 2010 14:28:48 +0100
- To: "sird@rckc.at" <sird@rckc.at>, "Thomas Roessler" <tlr@w3.org>
- Cc: "WebApps WG" <public-webapps@w3.org>
I have tried to clarify the bits about Authorization. Also, moving this thread over to the proper list for XMLHttpRequest. See (near the end): http://dev.w3.org/2006/webapi/XMLHttpRequest/#the-send-method On Sun, 06 Dec 2009 17:19:59 +0100, sird@rckc.at <sird@rckc.at> wrote: > 2.- 4.6.3 is not clear. It is obvious the UA should check first for which > type of authentication, but then if I read correctly you allow the > script to > set their own Authentication header via setRequestHeader.. but if the > header > is missing then you fall down to the 4th and 5th arguments of open. Right. > This makes the UA to make 2 requests [one to know the auth method and the > other to do the real request]? In specific cases, yes. As implementations do already I believe. > Both requests have the data sent by send() (before and after 401)? Yes, because you do not know you will get a 401. > What about redirects that require different Authentication methods? How would that work? > If the user is now under (for example) a digest auth session, but the > page/redirected page responds with Authentication: Basic, does the UA > should prompt the user for user/password again? This is a dangerous > downgrade > attack (think active network attackers). Not sure. I would appreciate advice here. Also based on what we need with respect to legacy content. > If the session already has a username/password HTTP auth session and > open() has user/pass? it should be replaced by the new one? Are you > sure? Are you really sure? It would be good to get advice here too. > There are several attack scenarios there.. and unless I missed something > in my opinion the specification is not specific enough =/ I can fix it if someone helps me out with the details. -- Anne van Kesteren http://annevankesteren.nl/
Received on Tuesday, 16 February 2010 13:29:26 UTC