W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

[CORS] Clarifying the term "user credentials"

From: Monsur Hossain <monsur@gmail.com>
Date: Thu, 26 Sep 2013 23:30:06 -0500
Message-ID: <CAKSyWQkgHuw7MxdhUgCvP5txzjCtbyHZdnmdAn5=4fFxWM2B9Q@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
I feel like the definition of the term "user credentials" in the CORS spec
could use some clarification. The spec currently says:

"The term user credentials for the purposes of this specification means
cookies, HTTP authentication, and client-side SSL certificates.
Specifically it does not refer to proxy authentication or the Origin
header."

Some points that are confusing me:

1) What is meant by "HTTP Authentication"? Is it
RFC2617<http://tools.ietf.org/html/rfc2617>?
If so it should be referenced in the definition.

2) Is the "Authorization" request header intended to be included in the
definition of "user credentials"? A quick test in Chrome indicates that I
can send an Authorization header without setting xhr.withCredentials or the
Access-Control-Allow-Credentials header. Is this a mismatch between the
spec and the actual browser implementation?

3) Why does the definition make a point to say that the Origin header is
*not* considered user credentials? My understanding is that Origin should
never be a substitute for user credentials. Is it just reiterating this
point, or is there a case where user authorization is done via the Origin
header?

Thanks,
Monsur
Received on Friday, 27 September 2013 04:30:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC