Permalink
Browse files

User/password are always safe as they require a preflight request for…

… the Authorization header

Fixes https://www.w3.org/Bugs/Public/show_bug.cgi?id=17242#c13 (and
therefore the entire bug)

This also cleans up the way the user/password arguments are defined a
lot and gives them default values.
  • Loading branch information...
1 parent d43a363 commit 08fb7d6b1d0d28116710e9db231e709b3890fca3 @annevk annevk committed Oct 11, 2012
Showing with 26 additions and 130 deletions.
  1. +13 −65 Overview.html
  2. +13 −65 Overview.src.html
View
@@ -297,7 +297,7 @@ <h2 id="interface-xmlhttprequest"><span class="secno">4 </span>Interface <code t
readonly attribute unsigned short <a href="#dom-xmlhttprequest-readystate" title="dom-XMLHttpRequest-readyState">readyState</a>;
// <a href="#request">request</a>
- void <a href="#dom-xmlhttprequest-open" title="dom-XMLHttpRequest-open">open</a>(ByteString <var>method</var>, DOMString <var title="">url</var>, optional boolean <var>async</var> = true, optional DOMString? <var>user</var>, optional DOMString? <var>password</var>);
+ void <a href="#dom-xmlhttprequest-open" title="dom-XMLHttpRequest-open">open</a>(ByteString <var>method</var>, DOMString <var title="">url</var>, optional boolean <var>async</var> = true, optional DOMString? <var>user</var> = null, optional DOMString? <var>password</var> = null);
void <a href="#dom-xmlhttprequest-setrequestheader" title="dom-XMLHttpRequest-setRequestHeader">setRequestHeader</a>(ByteString <var>header</var>, ByteString <var>value</var>);
attribute unsigned long <a href="#dom-xmlhttprequest-timeout" title="dom-XMLHttpRequest-timeout">timeout</a>;
attribute boolean <a href="#dom-xmlhttprequest-withcredentials" title="dom-XMLHttpRequest-withCredentials">withCredentials</a>;
@@ -623,23 +623,14 @@ <h4 id="the-open()-method"><span class="secno">4.7.1 </span>The <code title="">o
<code>CONNECT</code>, <code>TRACE</code> or <code>TRACK</code>.</p>
<p>Throws an "<code class="external"><a href="http://dom.spec.whatwg.org/#invalidaccesserror">InvalidAccessError</a></code>"
- exception if one of the following is true:</p>
-
- <ul>
- <li>Either <var title="">user</var> or <var title="">password</var> is passed
- as argument and the <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#origin">origin</a> of
- <var title="">url</var> does not match the
- <a href="#xmlhttprequest-origin"><code>XMLHttpRequest</code> origin</a>.
- <li>There is an associated
- <a href="#xmlhttprequest-document"><code>XMLHttpRequest</code> document</a> and either the
- <code title="dom-XMLHttpRequest-timeout"><a href="#dom-xmlhttprequest-timeout">timeout</a></code> attribute is not
- zero, the
- <code title="dom-XMLHttpRequest-withCredentials"><a href="#dom-xmlhttprequest-withcredentials">withCredentials</a></code>
- attribute is true, or the
- <code title="dom-XMLHttpRequest-responseType"><a href="#dom-xmlhttprequest-responsetype">responseType</a></code>
- attribute is not the empty string.
- </ul>
- </dd>
+ exception if there is an associated
+ <a href="#xmlhttprequest-document"><code>XMLHttpRequest</code> document</a> and either the
+ <code title="dom-XMLHttpRequest-timeout"><a href="#dom-xmlhttprequest-timeout">timeout</a></code> attribute is not
+ zero, the
+ <code title="dom-XMLHttpRequest-withCredentials"><a href="#dom-xmlhttprequest-withcredentials">withCredentials</a></code>
+ attribute is true, or the
+ <code title="dom-XMLHttpRequest-responseType"><a href="#dom-xmlhttprequest-responsetype">responseType</a></code>
+ attribute is not the empty string.
</dl>
<p>The
@@ -753,45 +744,11 @@ <h4 id="the-open()-method"><span class="secno">4.7.1 </span>The <code title="">o
"<code class="external"><a href="http://dom.spec.whatwg.org/#invalidaccesserror">InvalidAccessError</a></code>" exception and
terminate these steps.
- <li>
- <p>If the <var title="">user</var> argument was not omitted follow these
- substeps:
-
- <ol>
- <li><p>If <var title="">user</var> is not null and the
- <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#origin">origin</a> of <var title="">url</var> is not
- <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#same-origin">same origin</a> with the
- <a href="#xmlhttprequest-origin"><code>XMLHttpRequest</code> origin</a>,
- <a class="external" href="http://dom.spec.whatwg.org/#concept-throw" title="concept-throw">throw</a> an
- "<code class="external"><a href="http://dom.spec.whatwg.org/#invalidaccesserror">InvalidAccessError</a></code>" exception and
- terminate the overall set of steps.
+ <li><p>If the <var title="">user</var> argument is not null, set
+ <var>temp user</var> to <var>user</var>.
- <li><p>Let <var>temp user</var> be <var>user</var>.</li>
- </ol>
-
- <p class="note">These steps override anything that may have been set by
- the <var title="">url</var> argument.</p>
- </li>
-
- <li>
- <p>If the <var title="">password</var> argument was not omitted follow
- these substeps:
-
- <ol>
- <li><p>If <var title="">password</var> is not null and the
- <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#origin">origin</a> of <var title="">url</var> is not
- <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#same-origin">same origin</a> with the
- <a href="#xmlhttprequest-origin"><code>XMLHttpRequest</code> origin</a>,
- <a class="external" href="http://dom.spec.whatwg.org/#concept-throw" title="concept-throw">throw</a> an
- "<code class="external"><a href="http://dom.spec.whatwg.org/#invalidaccesserror">InvalidAccessError</a></code>" exception and
- terminate the overall set of steps.</li>
-
- <li><p>Let <var>temp password</var> be <var>password</var>.</li>
- </ol>
-
- <p class="note">These steps override anything that may have been set by
- the <var title="">url</var> argument.</p>
- </li>
+ <li><p>If the <var title="">password</var> argument is not null, set
+ <var>temp password</var> to <var>password</var>.
<li><p><a href="#terminate-abort()" title="terminate abort()">Terminate the <code>abort()</code> algorithm</a>.</li>
@@ -1398,15 +1355,6 @@ <h4 id="the-send()-method"><span class="secno">4.7.6 </span>The <code title="">s
<dd>Set if the <a href="#upload-events-flag">upload events flag</a> is set.
</dl>
- <p class="note"><a href="#request-username">Request username</a> and
- <a href="#request-password">request password</a> are always ignored as part of a
- <a class="external" href="http://fetch.spec.whatwg.org/#cross-origin-request">cross-origin request</a>; including
- them would allow a site to perform a distributed password search.
- However, user agents will include <a href="#user-credentials">user credentials</a> in the
- request (if the user has any and if
- <code title="dom-XMLHttpRequest-withCredentials"><a href="#dom-xmlhttprequest-withcredentials">withCredentials</a></code>
- is true).</p>
-
<dl class="switch">
<dt>If the <a href="#synchronous-flag">synchronous flag</a> is set</dt>
<dd>
View
@@ -245,7 +245,7 @@ <h2 id="terminology">Terminology</h2>
readonly attribute unsigned short <span title="dom-XMLHttpRequest-readyState">readyState</span>;
// <a href="#request">request</a>
- void <span title="dom-XMLHttpRequest-open">open</span>(ByteString <var>method</var>, DOMString <var title>url</var>, optional boolean <var>async</var> = true, optional DOMString? <var>user</var>, optional DOMString? <var>password</var>);
+ void <span title="dom-XMLHttpRequest-open">open</span>(ByteString <var>method</var>, DOMString <var title>url</var>, optional boolean <var>async</var> = true, optional DOMString? <var>user</var> = null, optional DOMString? <var>password</var> = null);
void <span title="dom-XMLHttpRequest-setRequestHeader">setRequestHeader</span>(ByteString <var>header</var>, ByteString <var>value</var>);
attribute unsigned long <span title="dom-XMLHttpRequest-timeout">timeout</span>;
attribute boolean <span title="dom-XMLHttpRequest-withCredentials">withCredentials</span>;
@@ -571,23 +571,14 @@ <h3 id="request">Request</h3>
<code>CONNECT</code>, <code>TRACE</code> or <code>TRACK</code>.</p>
<p>Throws an "<code data-anolis-spec=dom>InvalidAccessError</code>"
- exception if one of the following is true:</p>
-
- <ul>
- <li>Either <var title>user</var> or <var title>password</var> is passed
- as argument and the <span data-anolis-spec=html>origin</span> of
- <var title>url</var> does not match the
- <span><code>XMLHttpRequest</code> origin</span>.
- <li>There is an associated
- <span><code>XMLHttpRequest</code> document</span> and either the
- <code title=dom-XMLHttpRequest-timeout>timeout</code> attribute is not
- zero, the
- <code title=dom-XMLHttpRequest-withCredentials>withCredentials</code>
- attribute is true, or the
- <code title=dom-XMLHttpRequest-responseType>responseType</code>
- attribute is not the empty string.
- </ul>
- </dd>
+ exception if there is an associated
+ <span><code>XMLHttpRequest</code> document</span> and either the
+ <code title=dom-XMLHttpRequest-timeout>timeout</code> attribute is not
+ zero, the
+ <code title=dom-XMLHttpRequest-withCredentials>withCredentials</code>
+ attribute is true, or the
+ <code title=dom-XMLHttpRequest-responseType>responseType</code>
+ attribute is not the empty string.
</dl>
<p>The
@@ -701,45 +692,11 @@ <h3 id="request">Request</h3>
"<code data-anolis-spec=dom>InvalidAccessError</code>" exception and
terminate these steps.
- <li>
- <p>If the <var title>user</var> argument was not omitted follow these
- substeps:
-
- <ol>
- <li><p>If <var title>user</var> is not null and the
- <span data-anolis-spec=html>origin</span> of <var title>url</var> is not
- <span data-anolis-spec=html>same origin</span> with the
- <span><code>XMLHttpRequest</code> origin</span>,
- <span data-anolis-spec=dom title=concept-throw>throw</span> an
- "<code data-anolis-spec=dom>InvalidAccessError</code>" exception and
- terminate the overall set of steps.
+ <li><p>If the <var title>user</var> argument is not null, set
+ <var>temp user</var> to <var>user</var>.
- <li><p>Let <var>temp user</var> be <var>user</var>.</p></li>
- </ol>
-
- <p class=note>These steps override anything that may have been set by
- the <var title>url</var> argument.</p>
- </li>
-
- <li>
- <p>If the <var title>password</var> argument was not omitted follow
- these substeps:
-
- <ol>
- <li><p>If <var title>password</var> is not null and the
- <span data-anolis-spec=html>origin</span> of <var title>url</var> is not
- <span data-anolis-spec=html>same origin</span> with the
- <span><code>XMLHttpRequest</code> origin</span>,
- <span data-anolis-spec=dom title=concept-throw>throw</span> an
- "<code data-anolis-spec=dom>InvalidAccessError</code>" exception and
- terminate the overall set of steps.</p></li>
-
- <li><p>Let <var>temp password</var> be <var>password</var>.</p></li>
- </ol>
-
- <p class=note>These steps override anything that may have been set by
- the <var title>url</var> argument.</p>
- </li>
+ <li><p>If the <var title>password</var> argument is not null, set
+ <var>temp password</var> to <var>password</var>.
<li><p><span title="terminate abort()">Terminate the <code>abort()</code> algorithm</span>.</p></li>
@@ -1346,15 +1303,6 @@ <h3 id="request">Request</h3>
<dd>Set if the <span>upload events flag</span> is set.
</dl>
- <p class=note><span>Request username</span> and
- <span>request password</span> are always ignored as part of a
- <span data-anolis-spec=cors>cross-origin request</span>; including
- them would allow a site to perform a distributed password search.
- However, user agents will include <span>user credentials</span> in the
- request (if the user has any and if
- <code title="dom-XMLHttpRequest-withCredentials">withCredentials</code>
- is true).</p>
-
<dl class=switch>
<dt>If the <span>synchronous flag</span> is set</dt>
<dd>

0 comments on commit 08fb7d6

Please sign in to comment.