Re: [XHR] withCredentials and HTTP authentication

On Tue, Feb 12, 2013 at 4:24 AM, Monsur Hossain <> wrote:
> The XHR spec defines "user credentials" as "cookies, HTTP authentication,
> and client-side SSL certificates". Its not clear to me what "HTTP
> authentication" referring to.
> I assumed it was referring to the HTTP authentication in RFC 2617, which
> uses the "Authorization" header. But a quick test shows that arbitrary
> Authorization headers are allowed on CORS requests.
> It could also mean the http://<username>@<password> form of
> authentication (not sure where this is formally defined).
> What type of http authentication is the XHR spec referring to?

User credentials stored by the user agent based on a previous visit to the URL.

Authorization is only allowed through CORS if the server opts in, btw.

These details should become more clear once I turn into a proper specification.


Received on Tuesday, 12 February 2013 09:38:01 UTC