I have tried to clarify the bits about Authorization. Also, moving this
thread over to the proper list for XMLHttpRequest.
See (near the end):
http://dev.w3.org/2006/webapi/XMLHttpRequest/#the-send-method
On Sun, 06 Dec 2009 17:19:59 +0100, [email protected] <[email protected]> wrote:
2.- 4.6.3 is not clear. It is obvious the UA should check first for which
type of authentication, but then if I read correctly you allow the
script to
set their own Authentication header via setRequestHeader.. but if the
header
is missing then you fall down to the 4th and 5th arguments of open.
Right.
This makes the UA to make 2 requests [one to know the auth method and the
other to do the real request]?
In specific cases, yes. As implementations do already I believe.
Both requests have the data sent by send() (before and after 401)?
Yes, because you do not know you will get a 401.
What about redirects that require different Authentication methods?
How would that work?
If the user is now under (for example) a digest auth session, but the
page/redirected page responds with Authentication: Basic, does the UA
should prompt the user for user/password again? This is a dangerous
downgrade
attack (think active network attackers).
Not sure. I would appreciate advice here. Also based on what we need with
respect to legacy content.
If the session already has a username/password HTTP auth session and
open() has user/pass? it should be replaced by the new one? Are you
sure? Are you really sure?
It would be good to get advice here too.
There are several attack scenarios there.. and unless I missed something
in my opinion the specification is not specific enough =/
I can fix it if someone helps me out with the details.
--
Anne van Kesteren
http://annevankesteren.nl/
