Re: [XHR] withCredentials and HTTP authentication

2013-02-15 Thread Anne van Kesteren
On Tue, Feb 12, 2013 at 8:00 PM, Anne van Kesteren ann...@annevk.nl wrote: Hmm I see what you mean. But the user agent can provide the Authorization header too based on a previous visit. That is the meaning that is most often meant, but in the particular case of CORS the semantics are subtly

Re: [XHR] withCredentials and HTTP authentication

2013-02-12 Thread Anne van Kesteren
On Tue, Feb 12, 2013 at 4:24 AM, Monsur Hossain mon...@gmail.com wrote: The XHR spec defines user credentials as cookies, HTTP authentication, and client-side SSL certificates. Its not clear to me what HTTP authentication referring to. I assumed it was referring to the HTTP authentication in

Re: [XHR] withCredentials and HTTP authentication

2013-02-12 Thread Monsur Hossain
On Tue, Feb 12, 2013 at 3:37 AM, Anne van Kesteren ann...@annevk.nl wrote: On Tue, Feb 12, 2013 at 4:24 AM, Monsur Hossain mon...@gmail.com wrote: The XHR spec defines user credentials as cookies, HTTP authentication, and client-side SSL certificates. Its not clear to me what HTTP

Re: [XHR] withCredentials and HTTP authentication

2013-02-12 Thread Anne van Kesteren
On Tue, Feb 12, 2013 at 7:30 PM, Monsur Hossain mon...@gmail.com wrote: On Tue, Feb 12, 2013 at 3:37 AM, Anne van Kesteren ann...@annevk.nl wrote: User credentials stored by the user agent based on a previous visit to the URL. Ok thanks. I think it would be useful if the HTTP authentication

Re: [XHR] withCredentials and HTTP authentication

2013-02-12 Thread Monsur Hossain
On Tue, Feb 12, 2013 at 1:36 PM, Anne van Kesteren ann...@annevk.nl wrote: On Tue, Feb 12, 2013 at 7:30 PM, Monsur Hossain mon...@gmail.com wrote: On Tue, Feb 12, 2013 at 3:37 AM, Anne van Kesteren ann...@annevk.nl wrote: User credentials stored by the user agent based on a previous visit

Re: [XHR] withCredentials and HTTP authentication

2013-02-12 Thread Anne van Kesteren
On Tue, Feb 12, 2013 at 7:52 PM, Monsur Hossain mon...@gmail.com wrote: I think what was confusing to me is that the Access-Control-Allow-Credentials section of the CORS spec indicates that a true value indicates that the actual request can include user credentials. In the case of cookies,