On Tue, Feb 12, 2013 at 7:52 PM, Monsur Hossain <mon...@gmail.com> wrote:
> I think what was confusing to me is that the
> Access-Control-Allow-Credentials section of the CORS spec indicates that a
> "true" value "indicates that the actual request can include user
> credentials."
>
> In the case of cookies, both the client's .withCredentials and the server's
> Access-Control-Allow-Credentials must be "true" in order for the user-agent
> to return the response to the client.
>
> But in the case of the "Authorization" header, the server's opt-in mechanism
> is Access-Control-Allow-Headers, and has no connection to
> Access-Control-Allow-Credentials.

Hmm I see what you mean. But the user agent can provide the
Authorization header too based on a previous visit. That is the
meaning that is most often meant, but in the particular case of CORS
the semantics are subtly different. Not sure how to clarify that
exactly.


-- 
http://annevankesteren.nl/

Reply via email to