[XHR] withCredentials and HTTP authentication from Monsur Hossain on 2013-02-12 (public-webapps@w3.org from January to March 2013)

From: Monsur Hossain <monsur@gmail.com>
Date: Mon, 11 Feb 2013 22:24:21 -0600
To: public-webapps@w3.org
Message-ID: <CAKSyWQmNypyfJKTafsz23kqXbHhjnmCtDN=GAHbm657RVhzYVw@mail.gmail.com>

The XHR spec defines "user credentials" as "cookies, HTTP authentication,
and client-side SSL certificates". Its not clear to me what "HTTP
authentication" referring to.

I assumed it was referring to the HTTP authentication in RFC 2617, which
uses the "Authorization" header. But a quick
test<http://client.cors-api.appspot.com/client#?client_method=GET&client_credentials=false&client_headers=Authorization%3A%20Basic%20QWxhZGRpbjpvcGVuIHNlc2FtZQ%3D%3D&server_enable=true&server_status=200&server_credentials=false&server_headers=Authorization&server_tabs=local>shows
that arbitrary Authorization headers are allowed on CORS requests.

It could also mean the http://<username>@<password>:domain.com form of
authentication (not sure where this is formally defined).

What type of http authentication is the XHR spec referring to?

Thanks,
Monsur

Received on Tuesday, 12 February 2013 04:24:51 UTC