19969 – clarify some user name/password and setRequestHeader() Authorize header issues

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 19969 - clarify some user name/password and setRequestHeader() Authorize header issues

Summary: clarify some user name/password and setRequestHeader() Authorize header issues

Status:	RESOLVED DUPLICATE of bug 15418

Alias:	None

Product:	WebAppsWG
Classification:	Unclassified
Component:	XHR (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P2 normal
Target Milestone:	---
Assignee:	Anne
QA Contact:	public-webapps-bugzilla

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-11-15 13:36 UTC by Hallvord R. M. Steen
Modified:	2012-11-15 13:50 UTC (History)
CC List:	2 users (show)

See Also:

Attachments

Description Hallvord R. M. Steen 2012-11-15 13:36:21 UTC

IMO we should clarify the following:

1) Add a note (maybe just informative?) saying user name / password from open() method will only be sent to a site if it first uses a 401 response to indicate that authentication is required.

2) Figure out what should happen if a script calls open() with user name/password arguments, then sets an Authorize header with setRequestHeader(). Which wins? Will it depend on whether the site says 401 or not?

(IMO: setRequestHeader() should win if this is compatible with implementations, simplifies things. Whether or not there is a 401 response should make no difference. Hope that's sufficiently aligned with implementations..)

3) I assume that if setRequestHeader() adds an Authorize header, it's sent to the server whether or not a 401 request has been returned. Perhaps this should also be noted.

Comment 1 Anne 2012-11-15 13:50:03 UTC


*** This bug has been marked as a duplicate of bug 15418 ***