https://www.w3.org/Bugs/Public/show_bug.cgi?id=19969
Priority: P2
Bug ID: 19969
CC: [email protected], [email protected]
Assignee: [email protected]
Summary: clarify some user name/password and setRequestHeader()
Authorize header issues
QA Contact: [email protected]
Severity: normal
Classification: Unclassified
OS: Linux
Reporter: [email protected]
Hardware: PC
Status: NEW
Version: unspecified
Component: XHR
Product: WebAppsWG
IMO we should clarify the following:
1) Add a note (maybe just informative?) saying user name / password from open()
method will only be sent to a site if it first uses a 401 response to indicate
that authentication is required.
2) Figure out what should happen if a script calls open() with user
name/password arguments, then sets an Authorize header with setRequestHeader().
Which wins? Will it depend on whether the site says 401 or not?
(IMO: setRequestHeader() should win if this is compatible with implementations,
simplifies things. Whether or not there is a 401 response should make no
difference. Hope that's sufficiently aligned with implementations..)
3) I assume that if setRequestHeader() adds an Authorize header, it's sent to
the server whether or not a 401 request has been returned. Perhaps this should
also be noted.
--
You are receiving this mail because:
You are on the CC list for the bug.
