Bug 19969 - clarify some user name/password and setRequestHeader() Authorize header issues
Summary: clarify some user name/password and setRequestHeader() Authorize header issues
Status: RESOLVED DUPLICATE of bug 15418
Alias: None
Product: WebAppsWG
Classification: Unclassified
Component: XHR (show other bugs)
Version: unspecified
Hardware: PC Linux
: P2 normal
Target Milestone: ---
Assignee: Anne
QA Contact: public-webapps-bugzilla
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-15 13:36 UTC by Hallvord R. M. Steen
Modified: 2012-11-15 13:50 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hallvord R. M. Steen 2012-11-15 13:36:21 UTC
IMO we should clarify the following:

1) Add a note (maybe just informative?) saying user name / password from open() method will only be sent to a site if it first uses a 401 response to indicate that authentication is required.

2) Figure out what should happen if a script calls open() with user name/password arguments, then sets an Authorize header with setRequestHeader(). Which wins? Will it depend on whether the site says 401 or not?

(IMO: setRequestHeader() should win if this is compatible with implementations, simplifies things. Whether or not there is a 401 response should make no difference. Hope that's sufficiently aligned with implementations..)

3) I assume that if setRequestHeader() adds an Authorize header, it's sent to the server whether or not a 401 request has been returned. Perhaps this should also be noted.
Comment 1 Anne 2012-11-15 13:50:03 UTC

*** This bug has been marked as a duplicate of bug 15418 ***