Re: [XHR] withCredentials and HTTP authentication

2013-02-15 Thread Anne van Kesteren
On Tue, Feb 12, 2013 at 8:00 PM, Anne van Kesteren ann...@annevk.nl wrote:
 Hmm I see what you mean. But the user agent can provide the
 Authorization header too based on a previous visit. That is the
 meaning that is most often meant, but in the particular case of CORS
 the semantics are subtly different. Not sure how to clarify that
 exactly.

Filed https://www.w3.org/Bugs/Public/show_bug.cgi?id=21013


-- 
http://annevankesteren.nl/



Re: [XHR] withCredentials and HTTP authentication

2013-02-12 Thread Anne van Kesteren
On Tue, Feb 12, 2013 at 4:24 AM, Monsur Hossain mon...@gmail.com wrote:
 The XHR spec defines user credentials as cookies, HTTP authentication,
 and client-side SSL certificates. Its not clear to me what HTTP
 authentication referring to.

 I assumed it was referring to the HTTP authentication in RFC 2617, which
 uses the Authorization header. But a quick test shows that arbitrary
 Authorization headers are allowed on CORS requests.

 It could also mean the http://username@password:domain.com form of
 authentication (not sure where this is formally defined).

 What type of http authentication is the XHR spec referring to?

User credentials stored by the user agent based on a previous visit to the URL.

Authorization is only allowed through CORS if the server opts in, btw.

These details should become more clear once I turn
http://wiki.whatwg.org/wiki/Fetch into a proper specification.


-- 
http://annevankesteren.nl/



Re: [XHR] withCredentials and HTTP authentication

2013-02-12 Thread Monsur Hossain
On Tue, Feb 12, 2013 at 3:37 AM, Anne van Kesteren ann...@annevk.nl wrote:

 On Tue, Feb 12, 2013 at 4:24 AM, Monsur Hossain mon...@gmail.com wrote:
  The XHR spec defines user credentials as cookies, HTTP authentication,
  and client-side SSL certificates. Its not clear to me what HTTP
  authentication referring to.
 
  I assumed it was referring to the HTTP authentication in RFC 2617, which
  uses the Authorization header. But a quick test shows that arbitrary
  Authorization headers are allowed on CORS requests.
 
  It could also mean the http://username@password:domain.com form of
  authentication (not sure where this is formally defined).
 
  What type of http authentication is the XHR spec referring to?

 User credentials stored by the user agent based on a previous visit to the
 URL.


Ok thanks. I think it would be useful if the HTTP authentication in the
above sentence snippet were either dropped or clarified (The CORS spec also
uses the same sentence).

Authorization is only allowed through CORS if the server opts in, btw.

 These details should become more clear once I turn
 http://wiki.whatwg.org/wiki/Fetch into a proper specification.


 --
 http://annevankesteren.nl/



Re: [XHR] withCredentials and HTTP authentication

2013-02-12 Thread Anne van Kesteren
On Tue, Feb 12, 2013 at 7:30 PM, Monsur Hossain mon...@gmail.com wrote:
 On Tue, Feb 12, 2013 at 3:37 AM, Anne van Kesteren ann...@annevk.nl wrote:
 User credentials stored by the user agent based on a previous visit to the
 URL.

 Ok thanks. I think it would be useful if the HTTP authentication in the
 above sentence snippet were either dropped or clarified (The CORS spec also
 uses the same sentence).

How is it different from mentioning cookies? It has the same effect, no?


-- 
http://annevankesteren.nl/



Re: [XHR] withCredentials and HTTP authentication

2013-02-12 Thread Monsur Hossain
On Tue, Feb 12, 2013 at 1:36 PM, Anne van Kesteren ann...@annevk.nl wrote:

 On Tue, Feb 12, 2013 at 7:30 PM, Monsur Hossain mon...@gmail.com wrote:
  On Tue, Feb 12, 2013 at 3:37 AM, Anne van Kesteren ann...@annevk.nl
 wrote:
  User credentials stored by the user agent based on a previous visit to
 the
  URL.
 
  Ok thanks. I think it would be useful if the HTTP authentication in the
  above sentence snippet were either dropped or clarified (The CORS spec
 also
  uses the same sentence).

 How is it different from mentioning cookies? It has the same effect, no?


I think what was confusing to me is that the
Access-Control-Allow-Credentials section of the CORS spec indicates that a
true value indicates that the actual request can include user
credentials.

In the case of cookies, both the client's .withCredentials and the server's
Access-Control-Allow-Credentials must be true in order for the user-agent
to return the response to the client.

But in the case of the Authorization header, the server's opt-in
mechanism is Access-Control-Allow-Headers, and has no connection to
Access-Control-Allow-Credentials.

The sentence above reads as if cookies and HTTP Authentication are
both governed by the Access-Control-Allow-Credentials header, which is not
the case in practice.

Note that I am assuming that HTTP Authentication is referring to RFC 2617
and the use of the Authorization header. But the definition for user
credentials in the Terminology section of the CORS spec doesn't say
either way. If this is the case, there should be a reference to RFC 2617 in
the Terminology section (Next to [COOKIES]). And if this is not the
case, there should be more information to disambiguate the term HTTP
Authentication from RFC2617.

Thanks,
Monsur




 --
 http://annevankesteren.nl/



Re: [XHR] withCredentials and HTTP authentication

2013-02-12 Thread Anne van Kesteren
On Tue, Feb 12, 2013 at 7:52 PM, Monsur Hossain mon...@gmail.com wrote:
 I think what was confusing to me is that the
 Access-Control-Allow-Credentials section of the CORS spec indicates that a
 true value indicates that the actual request can include user
 credentials.

 In the case of cookies, both the client's .withCredentials and the server's
 Access-Control-Allow-Credentials must be true in order for the user-agent
 to return the response to the client.

 But in the case of the Authorization header, the server's opt-in mechanism
 is Access-Control-Allow-Headers, and has no connection to
 Access-Control-Allow-Credentials.

Hmm I see what you mean. But the user agent can provide the
Authorization header too based on a previous visit. That is the
meaning that is most often meant, but in the particular case of CORS
the semantics are subtly different. Not sure how to clarify that
exactly.


-- 
http://annevankesteren.nl/