1

So I'm implementing a web application using customized authentication.

The implementation now looks like (parentheses below quotes HTTP headers):

Client: (Authorization: <Username>:<Password>)
Server: (Authentication-Info: nextnonce=<signed token>)
Client: (Authorization: Bearer <signed token>) client includes this for all following communication

This works perfectly with the mobile app client, before I ran into a huge mass of CORS configuration in the web client.

I noticed that Chrome refused to get Authentication-Info header unless I adds it to the Access-Control-Expose-Headers header. And the value of Access-Control-Allow-Credentials doesn't matter at all. While the document says that the Credentials includes "HTTP authentication".

So what's the point of Access-Control-Allow-Credentials here. Is my understanding of "HTTP authentication" wrong? And is my implementation of this app look good so far?

BTW, I've read this answer. But it doesn't explain this clearly i think.

Community
  • 1
  • 1
Reinhard
  • 100
  • 12
  • A response of `Access-Control-Allow-Credentials: true` from the server `cross.example.com` is used to indicate that the *client* is allowed to *use* credentials for `cross.example.com` when *making the request*. It has no impact on the ability to read particular response headers, but it may impact the ability to read the response totally. When you omit `Access-Control-Allow-Credentials`, can you read the response at all? – apsillers Mar 19 '15 at 14:19
  • @apsillers yes, i can read all "simple headers", the headers allowed by Access-Control-Expose-Headers and the response body. So what's the propose of telling client whether it's allowed to use those headers? The server can simply remove those headers from Access-Control-Allow-Headers. – Reinhard Mar 19 '15 at 15:11
  • @spsillers BTW, http://www.w3.org/TR/cors/#user-credentials says "The Access-Control-Allow-Credentials header indicates whether the response to request can be exposed when the omit credentials flag is unset." Which by my understanding, is quite the same with Access-Control-Expose-Headers. – Reinhard Mar 19 '15 at 15:16
  • The language that describes them is quite different (though maybe difficult to parse). `Allow-Credentials` determines "*whether the response... can be exposed*" for a credentialed request, while `Expose-Headers` indicates "*which [response] headers are safe to expose*". `Allow-Credentials` is a boolean that allows the client to read the response to a credential request at all (since by default responses to credentialed requests cannot be read by the client script). `Expose-Headers` is a list of which headers in the response can be read (assuming the response is allowed to be read at all). – apsillers Mar 19 '15 at 16:00

0 Answers0