Re: [CORS] Does the Authorization header qualify as a CORS credential?

On Fri, Jan 10, 2014 at 7:45 AM, Vladimir Dzhuvinov
<> wrote:
> I'm the maintainer of the Java CORS Filter library and I'm trying to
> resolve an issue [1] with a developer.
> When Access-Control-Allow-Credentials is advertised, does it apply to
> the Authorization header (basic HTTP auth, OAuth, etc), or is it limited
> to brower cookies only?
> [1]

It is limited to browser-provided credentials, including cookies and
HTTP authentication. So if you authenticate with x.example and in the
same session go to y.example which requests something from x.example
and says to include credentials, the browser is expected to include
the credentials previously provided for x.example.

This is different from y.example setting the Authorization header,
which would cause a CORS preflight for that header.

This is rather messy and wish we had more carefully thought this setup through.


Received on Friday, 10 January 2014 10:44:30 UTC