On Tue, Feb 12, 2013 at 4:24 AM, Monsur Hossain <mon...@gmail.com> wrote:
> The XHR spec defines "user credentials" as "cookies, HTTP authentication,
> and client-side SSL certificates". Its not clear to me what "HTTP
> authentication" referring to.
> I assumed it was referring to the HTTP authentication in RFC 2617, which
> uses the "Authorization" header. But a quick test shows that arbitrary
> Authorization headers are allowed on CORS requests.
> It could also mean the http://<username>@<password>:domain.com form of
> authentication (not sure where this is formally defined).
> What type of http authentication is the XHR spec referring to?

User credentials stored by the user agent based on a previous visit to the URL.

Authorization is only allowed through CORS if the server opts in, btw.

These details should become more clear once I turn
http://wiki.whatwg.org/wiki/Fetch into a proper specification.


Reply via email to