Hi,

I have a question on using the Authorization header across domains.

"If the user agent supports HTTP Authentication and Authorization is not in the list of author request headers, it should consider requests originating from the XMLHttpRequest object to be part of the protection space that includes the accessed URIs and send Authorization headers and handle 401 Unauthorized requests appropriately."


This bit is clear, however there is no mention of what should happen if the Authorization header is present in the author request headers and there is no HTTP Authentication (username and password) in the open call going across domains. It is implied however that the Authorization header should be disallowed:

"Request username and request password are always ignored as part of a cross-origin request; including them would allow a site to perform a distributed password search. "


Here is a specific use case:

If the javascript is being served from a local host (ie PhoneGap) but data (in our case XML) is being retrieved from another domain which uses BASIC authorisation and that does not support CORS, then correctly the request should fail. However if we remove the username and password from the call and set the Authorisation header manually then the request succeeds in webkit..


See http://www.aswinanand.com/2009/01/http-basic-authentication-using-ajax/


Can someone clarify the behaviour in the spec?


Thanks


Paul
find me on 4square.com - http://foursquare.com/user/paul_todd
Sybase iAnywhere,
10 Queen Square, Bristol, BS1 4NT
T +44 117 315 3900

NOTICE: This e-mail message and all attachments transmitted with it are intended solely for the use of the addressee and may contain confidential information. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, copying or other use of this communication or its attachments is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this message and please immediately delete it from your computer.

Sybase (UK) Limited, Sybase Court, Crown Lane, Maidenhead, Berkshire SL6 8QZ is a company incorporated in England & Wales under company registration number 2175260.