Re: [XHR] withCredentials and HTTP authentication
On Tue, Feb 12, 2013 at 8:00 PM, Anne van Kesteren wrote: > Hmm I see what you mean. But the user agent can provide the > Authorization header too based on a previous visit. That is the > meaning that is most often meant, but in the particular case of CORS > the semantics are subtly different. Not sure how to clarify that > exactly. Filed https://www.w3.org/Bugs/Public/show_bug.cgi?id=21013 -- http://annevankesteren.nl/
Re: [XHR] withCredentials and HTTP authentication
On Tue, Feb 12, 2013 at 7:52 PM, Monsur Hossain wrote: > I think what was confusing to me is that the > Access-Control-Allow-Credentials section of the CORS spec indicates that a > "true" value "indicates that the actual request can include user > credentials." > > In the case of cookies, both the client's .withCredentials and the server's > Access-Control-Allow-Credentials must be "true" in order for the user-agent > to return the response to the client. > > But in the case of the "Authorization" header, the server's opt-in mechanism > is Access-Control-Allow-Headers, and has no connection to > Access-Control-Allow-Credentials. Hmm I see what you mean. But the user agent can provide the Authorization header too based on a previous visit. That is the meaning that is most often meant, but in the particular case of CORS the semantics are subtly different. Not sure how to clarify that exactly. -- http://annevankesteren.nl/
Re: [XHR] withCredentials and HTTP authentication
On Tue, Feb 12, 2013 at 1:36 PM, Anne van Kesteren wrote: > On Tue, Feb 12, 2013 at 7:30 PM, Monsur Hossain wrote: > > On Tue, Feb 12, 2013 at 3:37 AM, Anne van Kesteren > wrote: > >> User credentials stored by the user agent based on a previous visit to > the > >> URL. > > > > Ok thanks. I think it would be useful if the "HTTP authentication" in the > > above sentence snippet were either dropped or clarified (The CORS spec > also > > uses the same sentence). > > How is it different from mentioning cookies? It has the same effect, no? > I think what was confusing to me is that the Access-Control-Allow-Credentials section of the CORS spec indicates that a "true" value "indicates that the actual request can include user credentials." In the case of cookies, both the client's .withCredentials and the server's Access-Control-Allow-Credentials must be "true" in order for the user-agent to return the response to the client. But in the case of the "Authorization" header, the server's opt-in mechanism is Access-Control-Allow-Headers, and has no connection to Access-Control-Allow-Credentials. The sentence above reads as if cookies and HTTP Authentication are both governed by the Access-Control-Allow-Credentials header, which is not the case in practice. Note that I am assuming that HTTP Authentication is referring to RFC 2617 and the use of the Authorization header. But the definition for user credentials in the "Terminology" section of the CORS spec doesn't say either way. If this is the case, there should be a reference to RFC 2617 in the "Terminology" section (Next to "[COOKIES]"). And if this is not the case, there should be more information to disambiguate the term "HTTP Authentication" from RFC2617. Thanks, Monsur > > -- > http://annevankesteren.nl/ >
Re: [XHR] withCredentials and HTTP authentication
On Tue, Feb 12, 2013 at 7:30 PM, Monsur Hossain wrote: > On Tue, Feb 12, 2013 at 3:37 AM, Anne van Kesteren wrote: >> User credentials stored by the user agent based on a previous visit to the >> URL. > > Ok thanks. I think it would be useful if the "HTTP authentication" in the > above sentence snippet were either dropped or clarified (The CORS spec also > uses the same sentence). How is it different from mentioning cookies? It has the same effect, no? -- http://annevankesteren.nl/
Re: [XHR] withCredentials and HTTP authentication
On Tue, Feb 12, 2013 at 3:37 AM, Anne van Kesteren wrote: > On Tue, Feb 12, 2013 at 4:24 AM, Monsur Hossain wrote: > > The XHR spec defines "user credentials" as "cookies, HTTP authentication, > > and client-side SSL certificates". Its not clear to me what "HTTP > > authentication" referring to. > > > > I assumed it was referring to the HTTP authentication in RFC 2617, which > > uses the "Authorization" header. But a quick test shows that arbitrary > > Authorization headers are allowed on CORS requests. > > > > It could also mean the http://@:domain.com form of > > authentication (not sure where this is formally defined). > > > > What type of http authentication is the XHR spec referring to? > > User credentials stored by the user agent based on a previous visit to the > URL. > Ok thanks. I think it would be useful if the "HTTP authentication" in the above sentence snippet were either dropped or clarified (The CORS spec also uses the same sentence). Authorization is only allowed through CORS if the server opts in, btw. > > These details should become more clear once I turn > http://wiki.whatwg.org/wiki/Fetch into a proper specification. > > > -- > http://annevankesteren.nl/ >
Re: [XHR] withCredentials and HTTP authentication
On Tue, Feb 12, 2013 at 4:24 AM, Monsur Hossain wrote: > The XHR spec defines "user credentials" as "cookies, HTTP authentication, > and client-side SSL certificates". Its not clear to me what "HTTP > authentication" referring to. > > I assumed it was referring to the HTTP authentication in RFC 2617, which > uses the "Authorization" header. But a quick test shows that arbitrary > Authorization headers are allowed on CORS requests. > > It could also mean the http://@:domain.com form of > authentication (not sure where this is formally defined). > > What type of http authentication is the XHR spec referring to? User credentials stored by the user agent based on a previous visit to the URL. Authorization is only allowed through CORS if the server opts in, btw. These details should become more clear once I turn http://wiki.whatwg.org/wiki/Fetch into a proper specification. -- http://annevankesteren.nl/