Re: [XHR] withCredentials and HTTP authentication

On Tue, Feb 12, 2013 at 1:36 PM, Anne van Kesteren <> wrote:

> On Tue, Feb 12, 2013 at 7:30 PM, Monsur Hossain <> wrote:
> > On Tue, Feb 12, 2013 at 3:37 AM, Anne van Kesteren <>
> wrote:
> >> User credentials stored by the user agent based on a previous visit to
> the
> >> URL.
> >
> > Ok thanks. I think it would be useful if the "HTTP authentication" in the
> > above sentence snippet were either dropped or clarified (The CORS spec
> also
> > uses the same sentence).
> How is it different from mentioning cookies? It has the same effect, no?

I think what was confusing to me is that the
Access-Control-Allow-Credentials section of the CORS spec indicates that a
"true" value "indicates that the actual request can include user

In the case of cookies, both the client's .withCredentials and the server's
Access-Control-Allow-Credentials must be "true" in order for the user-agent
to return the response to the client.

But in the case of the "Authorization" header, the server's opt-in
mechanism is Access-Control-Allow-Headers, and has no connection to

The sentence above reads as if cookies and HTTP Authentication are
both governed by the Access-Control-Allow-Credentials header, which is not
the case in practice.

Note that I am assuming that HTTP Authentication is referring to RFC 2617
and the use of the Authorization header. But the definition for user
credentials in the "Terminology" section of the CORS spec doesn't say
either way. If this is the case, there should be a reference to RFC 2617 in
the "Terminology" section (Next to "[COOKIES]"). And if this is not the
case, there should be more information to disambiguate the term "HTTP
Authentication" from RFC2617.


> --

Received on Tuesday, 12 February 2013 19:53:15 UTC