On Apr 12, 2010, at 3:09 PM, Torsten Lodderstedt wrote: > Am 12.04.2010 21:00, schrieb Luke Shepard: >>>> If OAuth ever gets to the point where it replaces Basic auth in the >>>> browser, >>>> or used instead of other cookie-based authentication systems, it will gain >>>> native browser support which will use the header exclusively. Until then, >>>> JS >>>> code cannot make OAuth requests without other ways to send the token. >>>> >>>> >> >>> As far as I know, JavaScript code can set headers, incl. Authorization >>> Headers, using the operation setRequestHeaders of the XMLHttpRequest >>> Object >>> >> XMLHttpRequest is limited to the same domain (example.com can make calls to >> example.com). When making cross domain requests (example.com requesting data >> from facebook.com), different techniques must be used. Many of those >> techniques (such as JSONP) are restricted to just modifying the URL, and >> cannot set headers or use POST. >> >> > I thought "HTTP Origin Headers" (http://www.petefreitag.com/item/702.cfm) > would eliminate that restriction?
Use of the Origin HTTP header and W3C CORS (see https://developer.mozilla.org/En/HTTP_access_control for an explanation and information about Mozilla's support for that) is one of the proposed ways to allow cross-domain requests. There are others, such as the proposed standard Uniform Messaging Policy (http://www.w3.org/TR/UMP/): However, i) Not all browsers support CORS yet (Gecko and Webkit latest builds do, but not their latest stable versions) ii) Sites have to "opt-in" in all of these models to allow a cross-domain request, and most sites haven't opted in (cross-domain requests are thus not allowed in most cases) So browsers will often have to enforce same-domain requests in the usual way, requiring hacks like JSONP in order to perform cross-site requests, and thus Javascript cannot be (and will not be any time soon) assumed to support the setting of HTTP headers in all cases. Cheers, - johnk > > regards, > Torsten. > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
