Bug 21013 - Credentials and HTTP authentication
Credentials and HTTP authentication
Status: NEW
Product: WHATWG
Classification: Unclassified
Component: Fetch
unspecified
PC All
: P2 normal
: Unsorted
Assigned To: Anne
sideshowbarker+fetchspec
:
Depends on:
Blocks: 26556
  Show dependency treegraph
 
Reported: 2013-02-15 14:34 UTC by Anne
Modified: 2014-08-13 11:40 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Anne 2013-02-15 14:34:35 UTC
CORS allows HTTP authentication without special credentials header opt-in, because you already need to opt-in to the HTTP authentication header.

We should be clearer about that somehow.

http://lists.w3.org/Archives/Public/public-webapps/2013JanMar/thread.html#msg366
Comment 1 Anne 2013-02-15 14:37:10 UTC
In particular, the distinction seems to be that if withCredentials is true and the user agent had previously visited the target URL and the user had authenticated that URL, the user agent could include credentials in the request and the server could use the special credentials header opt-in.

Whether that's actually implemented in practice as such is unclear. The ability to set custom request headers also muddles the waters a bit.
Comment 2 Anne 2013-10-24 13:47:29 UTC
See also: https://github.com/whatwg/xhr/pull/4