As far as I know, JavaScript code can set headers, incl. Authorization
Headers, using the operation setRequestHeaders of the XMLHttpRequest
Object
XMLHttpRequest is limited to the same domain (example.com can make calls to
example.com). When making cross domain requests (example.com requesting data
from facebook.com), different techniques must be used. Many of those techniques
(such as JSONP) are restricted to just modifying the URL, and cannot set
headers or use POST.
I thought "HTTP Origin Headers" (http://www.petefreitag.com/item/702.cfm) would
eliminate that restriction?
Use of the Origin HTTP header and W3C CORS (see
https://developer.mozilla.org/En/HTTP_access_control for an explanation and
information about Mozilla's support for that) is one of the proposed ways to
allow cross-domain requests. There are others, such as the proposed standard
Uniform Messaging Policy (http://www.w3.org/TR/UMP/):
However,
i) Not all browsers support CORS yet (Gecko and Webkit latest builds do, but
not their latest stable versions)
ii) Sites have to "opt-in" in all of these models to allow a cross-domain
request, and most sites haven't opted in (cross-domain requests are thus not allowed in
most cases)
So browsers will often have to enforce same-domain requests in the usual way,
requiring hacks like JSONP in order to perform cross-site requests, and thus
Javascript cannot be (and will not be any time soon) assumed to support the
setting of HTTP headers in all cases.
Cheers,
- johnk
thanks for your explanation
regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
