[xhr] authorization (was: Re: call for reviewers: XMLHttpRequest Last Call)

I have tried to clarify the bits about Authorization. Also, moving this  
thread over to the proper list for XMLHttpRequest.

See (near the end):


On Sun, 06 Dec 2009 17:19:59 +0100, sird@rckc.at <sird@rckc.at> wrote:
> 2.- 4.6.3 is not clear. It is obvious the UA should check first for which
> type of authentication, but then if I read correctly you allow the  
> script to
> set their own Authentication header via setRequestHeader.. but if the  
> header
> is missing then you fall down to the 4th and 5th arguments of open.


> This makes the UA to make 2 requests [one to know the auth method and the
> other to do the real request]?

In specific cases, yes. As implementations do already I believe.

> Both requests have the data sent by send() (before and after 401)?

Yes, because you do not know you will get a 401.

> What about redirects that require different Authentication methods?

How would that work?

> If the user is now under (for example) a digest auth session, but the
> page/redirected page responds with Authentication: Basic, does the UA  
> should prompt the user for user/password again? This is a dangerous  
> downgrade
> attack (think active network attackers).

Not sure. I would appreciate advice here. Also based on what we need with  
respect to legacy content.

> If the session already has a username/password HTTP auth session and  
> open() has user/pass? it should be replaced by the new one? Are you  
> sure? Are you really sure?

It would be good to get advice here too.

> There are several attack scenarios there.. and unless I missed something  
> in my opinion the specification is not specific enough =/

I can fix it if someone helps me out with the details.

Anne van Kesteren

Received on Tuesday, 16 February 2010 13:29:26 UTC