- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 11 Apr 2012 03:57:23 -0700
- To: Webapps WG <public-webapps@w3.org>, Boris Zbarsky <bzbarsky@mozilla.com>
Hi All, Apologies if this has been discussed before and I missed it, or have forgotten about it. Currently the IDL for the .open function looks as follows: open(DOMString method, DOMString url, optional boolean async, optional DOMString? user, optional DOMString? password); This means that if anything other than null is passed as value for the user/password arguments, then the value should be stringified per normal WebIDL/ECMAScript rules. This includes if the value undefined is passed, which would be converted to "undefined" as both username and password. We accidentally made this change a while back, but discovered that this isn't compatible with the web [1][2]. In particular, the Dojo toolkit contains code like: xhr.open(method, ioArgs.url, args.sync !== true, args.user || undefined, args.password || undefined); For "normal" requests this results in the username and password "undefined" being used. This isn't a big deal since I think many servers simply ignore the username/password if they are not required for the resource. But it still seem non-ideal. A bigger deal however is that for a cross-site request, the requirements in CORS causes such a request to be denied causing [1]. It also caused sites that use mootools to break when the site was using basic authentication [2]. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=605296 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=609865 So I suspect we need to add [TreatUndefinedAs=EmptyString] or [TreatUndefinedAs=Null] (the effect is the same here) to both the user and password arguments. / Jonas
Received on Wednesday, 11 April 2012 10:58:26 UTC