Here I don't agree anymore. If I want to retrieve a HTTP auth-protected
resource
with XHR from a CORS-enabled server, the natural thing to do seems to try to
pass
in the user name and password in the XHR open() call. If the script author
supplied
user/pass and the server says 401 on a
Here I don't agree anymore. If I want to retrieve a HTTP auth-protected
resource
with XHR from a CORS-enabled server, the natural thing to do seems to try
to pass
in the user name and password in the XHR open() call. If the script author
supplied
user/pass and the server says 401
On Mon, May 6, 2013 at 1:39 PM, Hallvord Reiar Michaelsen Steen
hallv...@opera.com wrote:
(Could we however fix this in CORS so that the WWW-Authenticate header could
be included in a preflight response where applicable?)
Maybe we should wait for actual complaints about XMLHttpRequest + CORS
the appropriate digest, the 401 challenge
is required.
Hope it helps
Bin
-Original Message-
From: Hallvord Reiar Michaelsen Steen [mailto:hallv...@opera.com]
Sent: Monday, May 06, 2013 11:13 AM
To: Jonas Sicking
Cc: Anne van Kesteren; WebApps WG; WebAppSec WG
Subject: Re: Re: Fetch: HTTP