W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: [CORS] Clarifying the term "user credentials"

From: Austin William Wright <aaa@bzfx.net>
Date: Fri, 11 Oct 2013 00:30:31 -0700
Message-ID: <CANkuk-UKAHZDoPCmmnU785K-uRBQth3YOt=+HmTJJA04Mdpz1g@mail.gmail.com>
To: Monsur Hossain <monsur@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Sep 26, 2013 at 9:30 PM, Monsur Hossain <monsur@gmail.com> wrote:

> I feel like the definition of the term "user credentials" in the CORS spec
> could use some clarification. The spec currently says:
> "The term user credentials for the purposes of this specification means
> cookies, HTTP authentication, and client-side SSL certificates.
> Specifically it does not refer to proxy authentication or the Origin
> header."
> Some points that are confusing me:
> 1) What is meant by "HTTP Authentication"? Is it RFC2617<http://tools.ietf.org/html/rfc2617>?
> If so it should be referenced in the definition.

It appears to be the `Authorization` header (but see my response to (2)

HTTP is referenced, see <http://www.w3.org/TR/cors/#refsHTTP>.

> 2) Is the "Authorization" request header intended to be included in the
> definition of "user credentials"? A quick test in Chrome indicates that I
> can send an Authorization header without setting xhr.withCredentials or the
> Access-Control-Allow-Credentials header. Is this a mismatch between the
> spec and the actual browser implementation?

"User credentials" and the `withCredentials` property refers to information
stored in the user agent, not your ability to define a custom
`Authorization` header or `Cookie` header. I would strongly support
re-wording the text to clarify this point.

> 3) Why does the definition make a point to say that the Origin header is
> *not* considered user credentials? My understanding is that Origin should
> never be a substitute for user credentials. Is it just reiterating this
> point, or is there a case where user authorization is done via the Origin
> header?

It's just reiterating that point. You're correct, the `Origin` header must
never be used for authentication.

The line may be thwarting a number of potential problems: Server/resource
authors trying to authenticate requests from a trusted sibling site, or
implementers who would otherwise erroneously omit necessary headers.

> Thanks,
> Monsur
Received on Friday, 11 October 2013 07:30:59 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:35 UTC