[XHR] withCredentials and HTTP authentication

The XHR spec defines "user credentials" as "cookies, HTTP authentication,
and client-side SSL certificates". Its not clear to me what "HTTP
authentication" referring to.

I assumed it was referring to the HTTP authentication in RFC 2617, which
uses the "Authorization" header. But a quick
test<http://client.cors-api.appspot.com/client#?client_method=GET&client_credentials=false&client_headers=Authorization%3A%20Basic%20QWxhZGRpbjpvcGVuIHNlc2FtZQ%3D%3D&server_enable=true&server_status=200&server_credentials=false&server_headers=Authorization&server_tabs=local>shows
that arbitrary Authorization headers are allowed on CORS requests.

It could also mean the http://<username>@<password>:domain.com form of
authentication (not sure where this is formally defined).

What type of http authentication is the XHR spec referring to?

Thanks,
Monsur

Received on Tuesday, 12 February 2013 04:24:51 UTC