On Tue, Feb 12, 2013 at 7:52 PM, Monsur Hossain <mon...@gmail.com> wrote: > I think what was confusing to me is that the > Access-Control-Allow-Credentials section of the CORS spec indicates that a > "true" value "indicates that the actual request can include user > credentials." > > In the case of cookies, both the client's .withCredentials and the server's > Access-Control-Allow-Credentials must be "true" in order for the user-agent > to return the response to the client. > > But in the case of the "Authorization" header, the server's opt-in mechanism > is Access-Control-Allow-Headers, and has no connection to > Access-Control-Allow-Credentials.
Hmm I see what you mean. But the user agent can provide the Authorization header too based on a previous visit. That is the meaning that is most often meant, but in the particular case of CORS the semantics are subtly different. Not sure how to clarify that exactly. -- http://annevankesteren.nl/