- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 10 Jan 2014 10:43:59 +0000
- To: Vladimir Dzhuvinov <vladimir@dzhuvinov.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Fri, Jan 10, 2014 at 7:45 AM, Vladimir Dzhuvinov <vladimir@dzhuvinov.com> wrote: > I'm the maintainer of the Java CORS Filter library and I'm trying to > resolve an issue [1] with a developer. > > When Access-Control-Allow-Credentials is advertised, does it apply to > the Authorization header (basic HTTP auth, OAuth, etc), or is it limited > to brower cookies only? > > [1] https://bitbucket.org/thetransactioncompany/cors-filter/issue/16/ It is limited to browser-provided credentials, including cookies and HTTP authentication. So if you authenticate with x.example and in the same session go to y.example which requests something from x.example and says to include credentials, the browser is expected to include the credentials previously provided for x.example. This is different from y.example setting the Authorization header, which would cause a CORS preflight for that header. This is rather messy and wish we had more carefully thought this setup through. -- http://annevankesteren.nl/
Received on Friday, 10 January 2014 10:44:30 UTC