Bugzilla – Bug 21013
Credentials and HTTP authentication
Last modified: 2014-08-13 11:40:08 UTC
CORS allows HTTP authentication without special credentials header opt-in, because you already need to opt-in to the HTTP authentication header.
We should be clearer about that somehow.
In particular, the distinction seems to be that if withCredentials is true and the user agent had previously visited the target URL and the user had authenticated that URL, the user agent could include credentials in the request and the server could use the special credentials header opt-in.
Whether that's actually implemented in practice as such is unclear. The ability to set custom request headers also muddles the waters a bit.
See also: https://github.com/whatwg/xhr/pull/4