On Tue, 04 Apr 2006 14:02:23 +0200, Charles McCathieNevile
<[EMAIL PROTECTED]> wrote:
At the face to face we discussed the question of whether open() should
be allowed/obliged/forbidden/... to use the authentication information
that had been provided to access a page. In summary, I think the answer
is "Yes, subject to security restrictions that may be imposed by a
browser".
An additional possibility, of course, is that the browser seperately ask
the user to approve, or re-authenticate for, the request.
I guess a browser may send the authentication information without making
it available to the script (e.g. in the case of some useful, trusted XSS),
although it is always available to the server, of course.
cheers
Chaals
--
Charles McCathieNevile [EMAIL PROTECTED]
hablo español - je parle français - jeg lærer norsk
Peek into the kitchen: http://snapshot.opera.com/
