Re: [XHR] withCredentials and HTTP authentication

On Tue, Feb 12, 2013 at 7:52 PM, Monsur Hossain <> wrote:
> I think what was confusing to me is that the
> Access-Control-Allow-Credentials section of the CORS spec indicates that a
> "true" value "indicates that the actual request can include user
> credentials."
> In the case of cookies, both the client's .withCredentials and the server's
> Access-Control-Allow-Credentials must be "true" in order for the user-agent
> to return the response to the client.
> But in the case of the "Authorization" header, the server's opt-in mechanism
> is Access-Control-Allow-Headers, and has no connection to
> Access-Control-Allow-Credentials.

Hmm I see what you mean. But the user agent can provide the
Authorization header too based on a previous visit. That is the
meaning that is most often meant, but in the particular case of CORS
the semantics are subtly different. Not sure how to clarify that


Received on Tuesday, 12 February 2013 20:01:16 UTC