On Thu, 14 Feb 2008, John Panzer wrote: > Ian Hickson wrote: > > On Thu, 14 Feb 2008, John Panzer wrote: > > > > > Right, I'm not talking about Access-Control, I'm talking about > > > general HTTP auth[nz]. I don't understand the rationale for > > > AC4CSR's policies with regard to the Authorization: header > > > > The rationale is really as simple as this: browser vendors don't want > > to enable a distributed user credentials search. > > Which could be accomplished by banning Authorization: Basic and > Authorization: Digest only.
Unless there's some other scheme in use that's also vulnerable. It also wouldn't help in general with XMLHttpRequest, since that blocks the Authorization: header because it can get set by the user agent due to the user being authenticated with that site. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
