Re: [XHR] withCredentials and HTTP authentication
On Tue, Feb 12, 2013 at 8:00 PM, Anne van Kesteren ann...@annevk.nl wrote: Hmm I see what you mean. But the user agent can provide the Authorization header too based on a previous visit. That is the meaning that is most often meant, but in the particular case of CORS the semantics are subtly different. Not sure how to clarify that exactly. Filed https://www.w3.org/Bugs/Public/show_bug.cgi?id=21013 -- http://annevankesteren.nl/
Re: [XHR] withCredentials and HTTP authentication
On Tue, Feb 12, 2013 at 4:24 AM, Monsur Hossain mon...@gmail.com wrote: The XHR spec defines user credentials as cookies, HTTP authentication, and client-side SSL certificates. Its not clear to me what HTTP authentication referring to. I assumed it was referring to the HTTP authentication in RFC 2617, which uses the Authorization header. But a quick test shows that arbitrary Authorization headers are allowed on CORS requests. It could also mean the http://username@password:domain.com form of authentication (not sure where this is formally defined). What type of http authentication is the XHR spec referring to? User credentials stored by the user agent based on a previous visit to the URL. Authorization is only allowed through CORS if the server opts in, btw. These details should become more clear once I turn http://wiki.whatwg.org/wiki/Fetch into a proper specification. -- http://annevankesteren.nl/
Re: [XHR] withCredentials and HTTP authentication
On Tue, Feb 12, 2013 at 3:37 AM, Anne van Kesteren ann...@annevk.nl wrote: On Tue, Feb 12, 2013 at 4:24 AM, Monsur Hossain mon...@gmail.com wrote: The XHR spec defines user credentials as cookies, HTTP authentication, and client-side SSL certificates. Its not clear to me what HTTP authentication referring to. I assumed it was referring to the HTTP authentication in RFC 2617, which uses the Authorization header. But a quick test shows that arbitrary Authorization headers are allowed on CORS requests. It could also mean the http://username@password:domain.com form of authentication (not sure where this is formally defined). What type of http authentication is the XHR spec referring to? User credentials stored by the user agent based on a previous visit to the URL. Ok thanks. I think it would be useful if the HTTP authentication in the above sentence snippet were either dropped or clarified (The CORS spec also uses the same sentence). Authorization is only allowed through CORS if the server opts in, btw. These details should become more clear once I turn http://wiki.whatwg.org/wiki/Fetch into a proper specification. -- http://annevankesteren.nl/
Re: [XHR] withCredentials and HTTP authentication
On Tue, Feb 12, 2013 at 7:30 PM, Monsur Hossain mon...@gmail.com wrote: On Tue, Feb 12, 2013 at 3:37 AM, Anne van Kesteren ann...@annevk.nl wrote: User credentials stored by the user agent based on a previous visit to the URL. Ok thanks. I think it would be useful if the HTTP authentication in the above sentence snippet were either dropped or clarified (The CORS spec also uses the same sentence). How is it different from mentioning cookies? It has the same effect, no? -- http://annevankesteren.nl/
Re: [XHR] withCredentials and HTTP authentication
On Tue, Feb 12, 2013 at 1:36 PM, Anne van Kesteren ann...@annevk.nl wrote: On Tue, Feb 12, 2013 at 7:30 PM, Monsur Hossain mon...@gmail.com wrote: On Tue, Feb 12, 2013 at 3:37 AM, Anne van Kesteren ann...@annevk.nl wrote: User credentials stored by the user agent based on a previous visit to the URL. Ok thanks. I think it would be useful if the HTTP authentication in the above sentence snippet were either dropped or clarified (The CORS spec also uses the same sentence). How is it different from mentioning cookies? It has the same effect, no? I think what was confusing to me is that the Access-Control-Allow-Credentials section of the CORS spec indicates that a true value indicates that the actual request can include user credentials. In the case of cookies, both the client's .withCredentials and the server's Access-Control-Allow-Credentials must be true in order for the user-agent to return the response to the client. But in the case of the Authorization header, the server's opt-in mechanism is Access-Control-Allow-Headers, and has no connection to Access-Control-Allow-Credentials. The sentence above reads as if cookies and HTTP Authentication are both governed by the Access-Control-Allow-Credentials header, which is not the case in practice. Note that I am assuming that HTTP Authentication is referring to RFC 2617 and the use of the Authorization header. But the definition for user credentials in the Terminology section of the CORS spec doesn't say either way. If this is the case, there should be a reference to RFC 2617 in the Terminology section (Next to [COOKIES]). And if this is not the case, there should be more information to disambiguate the term HTTP Authentication from RFC2617. Thanks, Monsur -- http://annevankesteren.nl/
Re: [XHR] withCredentials and HTTP authentication
On Tue, Feb 12, 2013 at 7:52 PM, Monsur Hossain mon...@gmail.com wrote: I think what was confusing to me is that the Access-Control-Allow-Credentials section of the CORS spec indicates that a true value indicates that the actual request can include user credentials. In the case of cookies, both the client's .withCredentials and the server's Access-Control-Allow-Credentials must be true in order for the user-agent to return the response to the client. But in the case of the Authorization header, the server's opt-in mechanism is Access-Control-Allow-Headers, and has no connection to Access-Control-Allow-Credentials. Hmm I see what you mean. But the user agent can provide the Authorization header too based on a previous visit. That is the meaning that is most often meant, but in the particular case of CORS the semantics are subtly different. Not sure how to clarify that exactly. -- http://annevankesteren.nl/
