W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: [CORS] Clarifying the term "user credentials"

From: Monsur Hossain <monsur@gmail.com>
Date: Fri, 11 Oct 2013 13:33:53 -0500
Message-ID: <CAKSyWQmNqe=cLmKAGD12EuvZ+7hbtM1bkRReKCrOJjyrvLMacQ@mail.gmail.com>
To: Austin William Wright <aaa@bzfx.net>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
I agree that this could use some clarification. It was confusing to me,
especially because a) setting "withCredentials" is becoming synonymous with
"supporting cookies", so it was surprising (to me) to see other things in
the definition for "user credentials", b) Authorization mechanisms such as
OAuth2 can send credentials without
withCredentials/Access-Control-Allow-Credentials set.


On Fri, Oct 11, 2013 at 2:30 AM, Austin William Wright <aaa@bzfx.net> wrote:

>
> On Thu, Sep 26, 2013 at 9:30 PM, Monsur Hossain <monsur@gmail.com> wrote:
>
>> I feel like the definition of the term "user credentials" in the CORS
>> spec could use some clarification. The spec currently says:
>>
>> "The term user credentials for the purposes of this specification means
>> cookies, HTTP authentication, and client-side SSL certificates.
>> Specifically it does not refer to proxy authentication or the Origin
>> header."
>>
>> Some points that are confusing me:
>>
>> 1) What is meant by "HTTP Authentication"? Is it RFC2617<http://tools.ietf.org/html/rfc2617>?
>> If so it should be referenced in the definition.
>>
>
> It appears to be the `Authorization` header (but see my response to (2)
> below).
>
> HTTP is referenced, see <http://www.w3.org/TR/cors/#refsHTTP>.
>
>
>>
>> 2) Is the "Authorization" request header intended to be included in the
>> definition of "user credentials"? A quick test in Chrome indicates that I
>> can send an Authorization header without setting xhr.withCredentials or the
>> Access-Control-Allow-Credentials header. Is this a mismatch between the
>> spec and the actual browser implementation?
>>
>
> "User credentials" and the `withCredentials` property refers to
> information stored in the user agent, not your ability to define a custom
> `Authorization` header or `Cookie` header. I would strongly support
> re-wording the text to clarify this point.
>
>
>>
>> 3) Why does the definition make a point to say that the Origin header is
>> *not* considered user credentials? My understanding is that Origin should
>> never be a substitute for user credentials. Is it just reiterating this
>> point, or is there a case where user authorization is done via the Origin
>> header?
>>
>
> It's just reiterating that point. You're correct, the `Origin` header must
> never be used for authentication.
>
> The line may be thwarting a number of potential problems: Server/resource
> authors trying to authenticate requests from a trusted sibling site, or
> implementers who would otherwise erroneously omit necessary headers.
>
>
>>
>> Thanks,
>> Monsur
>>
>>
>
Received on Friday, 11 October 2013 18:34:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC