Re: Re: Fetch: HTTP authentication and CORS

>> Here I don't agree anymore. If I want to retrieve a HTTP auth-protected resource
>> with XHR from a CORS-enabled server, the natural thing to do seems to try to pass
>> in the user name and password in the XHR open() call. If the script author supplied
>> user/pass and the server says 401 on a request without Authorization: surely the
>> natural next step is to re-try with Authorization:?
> If the caller to the call provided a username and password,
> then shouldn't the implementation send that information in the *first*
> request rather than waiting for a 401?

I'd like to do that, but Anne thinks it violates the HTTP protocol (and apparently is hard to implement on top of certain networking libraries?).

Any networking devs who would like to comment on that?

Hallvord R. M. Steen
Core tester, Opera Software

Received on Monday, 6 May 2013 18:12:54 UTC