- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 12 Feb 2013 20:00:42 +0000
- To: Monsur Hossain <monsur@gmail.com>
- Cc: public-webapps@w3.org
On Tue, Feb 12, 2013 at 7:52 PM, Monsur Hossain <monsur@gmail.com> wrote: > I think what was confusing to me is that the > Access-Control-Allow-Credentials section of the CORS spec indicates that a > "true" value "indicates that the actual request can include user > credentials." > > In the case of cookies, both the client's .withCredentials and the server's > Access-Control-Allow-Credentials must be "true" in order for the user-agent > to return the response to the client. > > But in the case of the "Authorization" header, the server's opt-in mechanism > is Access-Control-Allow-Headers, and has no connection to > Access-Control-Allow-Credentials. Hmm I see what you mean. But the user agent can provide the Authorization header too based on a previous visit. That is the meaning that is most often meant, but in the particular case of CORS the semantics are subtly different. Not sure how to clarify that exactly. -- http://annevankesteren.nl/
Received on Tuesday, 12 February 2013 20:01:16 UTC