- From: Monsur Hossain <monsur@gmail.com>
- Date: Thu, 26 Sep 2013 23:30:06 -0500
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKSyWQkgHuw7MxdhUgCvP5txzjCtbyHZdnmdAn5=4fFxWM2B9Q@mail.gmail.com>
I feel like the definition of the term "user credentials" in the CORS spec could use some clarification. The spec currently says: "The term user credentials for the purposes of this specification means cookies, HTTP authentication, and client-side SSL certificates. Specifically it does not refer to proxy authentication or the Origin header." Some points that are confusing me: 1) What is meant by "HTTP Authentication"? Is it RFC2617<http://tools.ietf.org/html/rfc2617>? If so it should be referenced in the definition. 2) Is the "Authorization" request header intended to be included in the definition of "user credentials"? A quick test in Chrome indicates that I can send an Authorization header without setting xhr.withCredentials or the Access-Control-Allow-Credentials header. Is this a mismatch between the spec and the actual browser implementation? 3) Why does the definition make a point to say that the Origin header is *not* considered user credentials? My understanding is that Origin should never be a substitute for user credentials. Is it just reiterating this point, or is there a case where user authorization is done via the Origin header? Thanks, Monsur
Received on Friday, 27 September 2013 04:30:34 UTC