On Tue, Feb 12, 2013 at 4:24 AM, Monsur Hossain <mon...@gmail.com> wrote: > The XHR spec defines "user credentials" as "cookies, HTTP authentication, > and client-side SSL certificates". Its not clear to me what "HTTP > authentication" referring to. > > I assumed it was referring to the HTTP authentication in RFC 2617, which > uses the "Authorization" header. But a quick test shows that arbitrary > Authorization headers are allowed on CORS requests. > > It could also mean the http://<username>@<password>:domain.com form of > authentication (not sure where this is formally defined). > > What type of http authentication is the XHR spec referring to?
User credentials stored by the user agent based on a previous visit to the URL. Authorization is only allowed through CORS if the server opts in, btw. These details should become more clear once I turn http://wiki.whatwg.org/wiki/Fetch into a proper specification. -- http://annevankesteren.nl/