W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: Fetch: HTTP authentication and CORS

From: Paul Libbrecht <paul@hoplahup.net>
Date: Wed, 8 May 2013 22:13:52 +0200
Cc: Hallvord Reiar Michaelsen Steen <hallvord@opera.com>, Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@annevk.nl>, WebApps WG <public-webapps@w3.org>, WebAppSec WG <public-webappsec@w3.org>
Message-Id: <5272AB9E-36C2-4E64-8404-158AF388AFEA@hoplahup.net>
To: "HU, BIN" <bh526r@att.com>
On 7 mai 2013, at 02:23, HU, BIN wrote:
> Because "nonce" is needed to generate the appropriate digest, the 401 challenge is required.

So the lesson here is: any developer that intends to use authenticated XHR should always start with an XHR that is a simple ping-like GET, then do the real things. Right?

Paul
Received on Wednesday, 8 May 2013 20:15:13 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC