W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

[CORS] Clarifying the term "user credentials"

From: Monsur Hossain <monsur@gmail.com>
Date: Thu, 26 Sep 2013 23:30:06 -0500
Message-ID: <CAKSyWQkgHuw7MxdhUgCvP5txzjCtbyHZdnmdAn5=4fFxWM2B9Q@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
I feel like the definition of the term "user credentials" in the CORS spec
could use some clarification. The spec currently says:

"The term user credentials for the purposes of this specification means
cookies, HTTP authentication, and client-side SSL certificates.
Specifically it does not refer to proxy authentication or the Origin

Some points that are confusing me:

1) What is meant by "HTTP Authentication"? Is it
If so it should be referenced in the definition.

2) Is the "Authorization" request header intended to be included in the
definition of "user credentials"? A quick test in Chrome indicates that I
can send an Authorization header without setting xhr.withCredentials or the
Access-Control-Allow-Credentials header. Is this a mismatch between the
spec and the actual browser implementation?

3) Why does the definition make a point to say that the Origin header is
*not* considered user credentials? My understanding is that Origin should
never be a substitute for user credentials. Is it just reiterating this
point, or is there a case where user authorization is done via the Origin

Received on Friday, 27 September 2013 04:30:34 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC