[CORS] Clarifying the term "user credentials"

I feel like the definition of the term "user credentials" in the CORS spec
could use some clarification. The spec currently says:

"The term user credentials for the purposes of this specification means
cookies, HTTP authentication, and client-side SSL certificates.
Specifically it does not refer to proxy authentication or the Origin
header."

Some points that are confusing me:

1) What is meant by "HTTP Authentication"? Is it
RFC2617<http://tools.ietf.org/html/rfc2617>?
If so it should be referenced in the definition.

2) Is the "Authorization" request header intended to be included in the
definition of "user credentials"? A quick test in Chrome indicates that I
can send an Authorization header without setting xhr.withCredentials or the
Access-Control-Allow-Credentials header. Is this a mismatch between the
spec and the actual browser implementation?

3) Why does the definition make a point to say that the Origin header is
*not* considered user credentials? My understanding is that Origin should
never be a substitute for user credentials. Is it just reiterating this
point, or is there a case where user authorization is done via the Origin
header?

Thanks,
Monsur

Received on Friday, 27 September 2013 04:30:34 UTC