[Webkit-unassigned] [Bug 109533] CORS requests don't cache authentication

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Feb 13 12:57:58 PST 2013 

https://bugs.webkit.org/show_bug.cgi?id=109533


Paul Eipper <lkraider+webkit at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                URL|                            |http://lkraider.eipper.com.
                   |                            |br/tests/cors/authcache.htm
                   |                            |l




--- Comment #2 from Paul Eipper <lkraider+webkit at gmail.com>  2013-02-13 13:00:14 PST ---
Note: I just added a test page on the bug report.

Indeed, setting the Authorization header will not cache, even on same-domain requests. I guess my expectations were wrong there.

Discussing this issue with the Mozilla guys, it seems the issue is CORS specifies that the username and password used on the `open` call should be discarded, which in practice makes CORS authorization uncacheable.

The use case I have in mind is (quoting from my discussion over at Mozilla):

"Take the use case of a website that uses a REST API which requires BasicAuth (everything goes over HTTPS):

1. website presents a form login, which is used to auth user against API;
2. JS performs XHR on API to verify auth;
3. Auth is cached by the browser, which allows the website to perform other requests during that session.

While this works for same-domain, step 3 evidently does not work with CORS, since not `open` nor setting the headers will do the caching.

Is this just not a valid use case for CORS?

Only possible workaround I can see is to store form input in a session cookie to send on all CORS requests.
Pros: lifetime is the same as regular browser auth caching
Cons: credentials are easily readable on the machine

I would appreciate any advice regarding this.
"

Regarding the CORS specification, I don't understand the rationale of discarding the credentials on the open call. I don't see what attacks does that prevent that cannot be achieved by using `setRequestHeader` for the Authorization (the spec is not very clear here).

Regarding Webkit then, I guess the issue is whether it should support some form of caching for CORS credentials, is this a reasonable use-case, and if adhering to the spec makes sense there.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list