I wish to use XHR to log in a site that utilizes HTTP fundamental authentication. The next piece performs this.
http = new XMLHttpRequest(); http.open("get", "http://...", false, username, password); http.send("");
The issue is this doesn't work from the domain that's not the same as the main one in which the authentication is. The answer is straightforward enough: set the Access-Control-Allow-Origin header to *. And So I transformed my Apache configuration for this:
<Location /> Header set Access-Control-Allow-Origin "*" AuthType Basic AuthName "trac" AuthUserFile /home/admin/development/pass.htpasswd Require valid-user </Location>
Reactions from that page seem like:
HTTP/1.1 401 Authorization Required Connection: Keep-Alive Content-Encoding: gzip Content-Length: 345 Content-Type: text/html; charset=iso-8859-1 Date: Sun, 11 Sep 2011 01:17:55 GMT Keep-Alive: timeout=15, max=100 Vary: Accept-Encoding WWW-Authenticate: Basic realm="trac"
The reactions don't have the Access-Control-Allow-Origin header. This appears strange.
After I make use of the same Header directive for that inside pages, the header is placed.
Why was the header not set? How can you set the Access-Control-Allow-Origin header for that HTTP fundamental authentication response in Apache?