W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: [CORS] Does the Authorization header qualify as a CORS credential?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 10 Jan 2014 10:43:59 +0000
Message-ID: <CADnb78hkhk4-242ZEAzuN0C_GfDJBMYSTo6JEdK_K5Hyo6UUiQ@mail.gmail.com>
To: Vladimir Dzhuvinov <vladimir@dzhuvinov.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Fri, Jan 10, 2014 at 7:45 AM, Vladimir Dzhuvinov
<vladimir@dzhuvinov.com> wrote:
> I'm the maintainer of the Java CORS Filter library and I'm trying to
> resolve an issue [1] with a developer.
> When Access-Control-Allow-Credentials is advertised, does it apply to
> the Authorization header (basic HTTP auth, OAuth, etc), or is it limited
> to brower cookies only?
> [1] https://bitbucket.org/thetransactioncompany/cors-filter/issue/16/

It is limited to browser-provided credentials, including cookies and
HTTP authentication. So if you authenticate with x.example and in the
same session go to y.example which requests something from x.example
and says to include credentials, the browser is expected to include
the credentials previously provided for x.example.

This is different from y.example setting the Authorization header,
which would cause a CORS preflight for that header.

This is rather messy and wish we had more carefully thought this setup through.

Received on Friday, 10 January 2014 10:44:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:36 UTC