Ian Hickson wrote:
On Thu, 14 Feb 2008, John Panzer wrote:
I'm sorry, I wasn't clear. By 'delegated server' I meant that there's
no CSR involved at all in this case, but I'm delegating some of the
access rights that I (the user) have to C (in this case, a server).
Example:
A: Robert Scoble
B: Facebook
C: Plaxo
Scoble (A) tells Facebook (B) it's okay for Plaxo (C) to pull contact
list data. He then goes to sleep and shuts down his computer. Plaxo
(C) then contacts Facebook (B) and retrieves the data, acting on behalf
of Scoble (A) but not impersonating him.
In that scenario, you can use whatever headers you like. Access-Control
and XMLHttpRequest have absolutely nothing to do with this.
Right, I said that below. It's relevant however to the general
discussion of what header(s) to use for auth[nz].
In these cases, Authorization is authenticating the server (Plaxo) _and_
authorizing its request based on prior input from the user. When you
say there's no user/client involved I get confused -- the 'original
server' and 'client' are the same thing in this transaction (Plaxo to
Facebook), unless you're saying that a server can never be an HTTP
client, which confuses me even more. The user is involved but not in
real time -- indeed, it's key that they be involved since they're the
ones authorizing the transaction.
The Access-Control spec only applies when there's a Web browser allowing a
Web page from one domain to make connections to a Web server from another
domain. When there's no Web browser driving the HTTP, there's no need for
Access-Control.
Right, I'm not talking about Access-Control, I'm talking about general
HTTP auth[nz]. I don't understand the rationale for AC4CSR's policies
with regard to the Authorization: header, and the source of my confusion
seems to be rooted in a difference between my mental model and yours
that's not specific to CSR. That's why I'm going down this digressive
path, because otherwise I think we're just talking past each other.
