- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 13 Sep 2012 15:02:58 +0200
- To: Paul.Todd@sybase.com
- Cc: public-webapps@w3.org
On Tue, Sep 11, 2012 at 2:39 PM, <Paul.Todd@sybase.com> wrote: > "If the user agent supports HTTP Authentication and Authorization is not in > the list of author request headers, it should consider requests originating > from the XMLHttpRequest object to be part of the protection space that > includes the accessed URIs and send Authorization headers and handle 401 > Unauthorized requests appropriately." > > This bit is clear, however there is no mention of what should happen if the > Authorization header is present in the author request headers and there is > no HTTP Authentication (username and password) in the open call going across > domains. It is implied however that the Authorization header should be > disallowed: > > "Request username and request password are always ignored as part of a > cross-origin request; including them would allow a site to perform a > distributed password search. " Actually no. If you create your own Authorization header it's fine (assuming your server advertises support for that particular header using CORS). Maybe we should change things around again given the new header opt-in so that you can use username/password too. -- http://annevankesteren.nl/
Received on Thursday, 13 September 2012 13:03:36 UTC