Re: Fetch: HTTP authentication and CORS from Paul Libbrecht on 2013-05-08 (public-webappsec@w3.org from May 2013)

From: Paul Libbrecht <paul@hoplahup.net>
Date: Wed, 8 May 2013 22:13:52 +0200
To: "HU, BIN" <bh526r@att.com>
Cc: Hallvord Reiar Michaelsen Steen <hallvord@opera.com>, Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@annevk.nl>, WebApps WG <public-webapps@w3.org>, WebAppSec WG <public-webappsec@w3.org>
Message-Id: <5272AB9E-36C2-4E64-8404-158AF388AFEA@hoplahup.net>

On 7 mai 2013, at 02:23, HU, BIN wrote:
> Because "nonce" is needed to generate the appropriate digest, the 401 challenge is required.

So the lesson here is: any developer that intends to use authenticated XHR should always start with an XHR that is a simple ping-like GET, then do the real things. Right?

Paul

Received on Wednesday, 8 May 2013 20:15:13 UTC