- From: Austin William Wright <aaa@bzfx.net>
- Date: Fri, 11 Oct 2013 00:30:31 -0700
- To: Monsur Hossain <monsur@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CANkuk-UKAHZDoPCmmnU785K-uRBQth3YOt=+HmTJJA04Mdpz1g@mail.gmail.com>
On Thu, Sep 26, 2013 at 9:30 PM, Monsur Hossain <monsur@gmail.com> wrote: > I feel like the definition of the term "user credentials" in the CORS spec > could use some clarification. The spec currently says: > > "The term user credentials for the purposes of this specification means > cookies, HTTP authentication, and client-side SSL certificates. > Specifically it does not refer to proxy authentication or the Origin > header." > > Some points that are confusing me: > > 1) What is meant by "HTTP Authentication"? Is it RFC2617<http://tools.ietf.org/html/rfc2617>? > If so it should be referenced in the definition. > It appears to be the `Authorization` header (but see my response to (2) below). HTTP is referenced, see <http://www.w3.org/TR/cors/#refsHTTP>. > > 2) Is the "Authorization" request header intended to be included in the > definition of "user credentials"? A quick test in Chrome indicates that I > can send an Authorization header without setting xhr.withCredentials or the > Access-Control-Allow-Credentials header. Is this a mismatch between the > spec and the actual browser implementation? > "User credentials" and the `withCredentials` property refers to information stored in the user agent, not your ability to define a custom `Authorization` header or `Cookie` header. I would strongly support re-wording the text to clarify this point. > > 3) Why does the definition make a point to say that the Origin header is > *not* considered user credentials? My understanding is that Origin should > never be a substitute for user credentials. Is it just reiterating this > point, or is there a case where user authorization is done via the Origin > header? > It's just reiterating that point. You're correct, the `Origin` header must never be used for authentication. The line may be thwarting a number of potential problems: Server/resource authors trying to authenticate requests from a trusted sibling site, or implementers who would otherwise erroneously omit necessary headers. > > Thanks, > Monsur > >
Received on Friday, 11 October 2013 07:30:59 UTC