19969 2012-11-15 13:36:21 +0000 clarify some user name/password and setRequestHeader() Authorize header issues 2012-11-15 13:50:03 +0000 1 1 1 Unclassified WebAppsWG XHR unspecified PC Linux RESOLVED DUPLICATE 15418 P2 normal --- 1 hsteen annevk mike public-webapps public-webapps-bugzilla oldest_to_newest 78351 0 hsteen 2012-11-15 13:36:21 +0000 IMO we should clarify the following: 1) Add a note (maybe just informative?) saying user name / password from open() method will only be sent to a site if it first uses a 401 response to indicate that authentication is required. 2) Figure out what should happen if a script calls open() with user name/password arguments, then sets an Authorize header with setRequestHeader(). Which wins? Will it depend on whether the site says 401 or not? (IMO: setRequestHeader() should win if this is compatible with implementations, simplifies things. Whether or not there is a 401 response should make no difference. Hope that's sufficiently aligned with implementations..) 3) I assume that if setRequestHeader() adds an Authorize header, it's sent to the server whether or not a 401 request has been returned. Perhaps this should also be noted. 78352 1 annevk 2012-11-15 13:50:03 +0000 *** This bug has been marked as a duplicate of bug 15418 ***