- From: Monsur Hossain <monsur@gmail.com>
- Date: Mon, 11 Feb 2013 22:24:21 -0600
- To: public-webapps@w3.org
Received on Tuesday, 12 February 2013 04:24:51 UTC
The XHR spec defines "user credentials" as "cookies, HTTP authentication, and client-side SSL certificates". Its not clear to me what "HTTP authentication" referring to. I assumed it was referring to the HTTP authentication in RFC 2617, which uses the "Authorization" header. But a quick test<http://client.cors-api.appspot.com/client#?client_method=GET&client_credentials=false&client_headers=Authorization%3A%20Basic%20QWxhZGRpbjpvcGVuIHNlc2FtZQ%3D%3D&server_enable=true&server_status=200&server_credentials=false&server_headers=Authorization&server_tabs=local>shows that arbitrary Authorization headers are allowed on CORS requests. It could also mean the http://<username>@<password>:domain.com form of authentication (not sure where this is formally defined). What type of http authentication is the XHR spec referring to? Thanks, Monsur
Received on Tuesday, 12 February 2013 04:24:51 UTC