Re: [XHR] withCredentials and HTTP authentication

On Tue, Feb 12, 2013 at 3:37 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Feb 12, 2013 at 4:24 AM, Monsur Hossain <monsur@gmail.com> wrote:
> > The XHR spec defines "user credentials" as "cookies, HTTP authentication,
> > and client-side SSL certificates". Its not clear to me what "HTTP
> > authentication" referring to.
> >
> > I assumed it was referring to the HTTP authentication in RFC 2617, which
> > uses the "Authorization" header. But a quick test shows that arbitrary
> > Authorization headers are allowed on CORS requests.
> >
> > It could also mean the http://<username>@<password>:domain.com form of
> > authentication (not sure where this is formally defined).
> >
> > What type of http authentication is the XHR spec referring to?
>
> User credentials stored by the user agent based on a previous visit to the
> URL.
>

Ok thanks. I think it would be useful if the "HTTP authentication" in the
above sentence snippet were either dropped or clarified (The CORS spec also
uses the same sentence).

Authorization is only allowed through CORS if the server opts in, btw.
>
> These details should become more clear once I turn
> http://wiki.whatwg.org/wiki/Fetch into a proper specification.
>
>
> --
> http://annevankesteren.nl/
>

Received on Tuesday, 12 February 2013 19:31:14 UTC