Index - Web APIs
216 authenticatorassertionresponse api, authentication, authenticatorassertionresponse, interface, reference, web authentication api, webauthn the authenticatorassertionresponse interface of the web authentication api is returned by credentialscontainer.get() when a publickeycredential is passed, and provides proof to a service that it has a key pair and that the authentication request is valid and approved.
...such an identifier can be used by the relying party's server to link the user account with its corresponding credentials and other data.
... 220 authenticatorattestationresponse api, authentication, authenticatorattestationresponse, interface, reference, web authentication api, webauthn the authenticatorattestationresponse interface of the web authentication api is returned by credentialscontainer.create() when a publickeycredential is passed, and provides a cryptographic root of trust for the new key pair that has been generated.
...And 27 more matches

Web Authentication API - Web APIs
similar to the other forms of the credential management api, the web authentication api has two basic methods that correspond to register and login: navigator.credentials.create() - when used with the publickey option, creates new credentials, either for registering a new account or for associating a new asymmetric key pair credentials with an existing account.
... navigator.credentials.get() - when used with the publickey option, uses an existing set of credentials to authenticate to a service, either logging a user in or as a form of second-factor authentication.
... in order to understand how the create() and get() methods fit into the bigger picture, it is important to understand that they sit between two components that are outside the browser: server - the web authentication api is intended to register new credentials on a server (also referred to as a service or a relying party) and later use those same credentials on that same server to authenticate a user.
...And 12 more matches

HTTP authentication - HTTP
a client that wants to authenticate itself with the server can then do so by including an authorization request header with the credentials.
...in the case of proxies, the challenging status code is 407 (proxy authentication required), the proxy-authenticate response header contains at least one challenge applicable to the proxy, and the proxy-authorization request header is used for providing the credentials to the proxy server.
... access forbidden if a (proxy) server receives valid credentials that are inadequate to access a given resource, the server should respond with the 403 forbidden status code.
...And 9 more matches

Cross-Origin Resource Sharing (CORS) - HTTP
servers can also inform clients whether "credentials" (such as cookies and http authentication) should be sent with requests.
... requests with credentials the most interesting capability exposed by both xmlhttprequest or fetch and cors is the ability to make "credentialed" requests that are aware of http cookies and http authentication information.
... by default, in cross-site xmlhttprequest or fetch invocations, browsers will not send credentials.
...And 9 more matches

Credential Management API - Web APIs
the credential management api lets a website store and retrieve user, federated, and public key credentials.
... credential management concepts and usage this api lets websites interact with a user agent’s password system so that websites can deal in a uniform way with site credentials and user agents can provide better assistance with the management of their credentials.
...to address these problems, the credential management api provides ways for a website to store and retrieve different types of credentials.
...And 6 more matches

HTTP Index - HTTP
30 reason: credential is not supported if the cors header ‘access-control-allow-origin’ is ‘*’ cors, corsnotsupportingcredentials, cross-origin, error, http, https, messages, reasons, security, console, troubleshooting the cors request was attempted with the credentials flag set, but the server is configured using the wildcard ("*") as the value of access-control-allow-origin, which doesn't allow the use of credentials.
... 33 reason: expected ‘true’ in cors header ‘access-control-allow-credentials’ cors, corsmissingallowcredentials, cross-origin, error, http, https, messages, reasons, security, console, troubleshooting the cors request requires that the server permit the use of credentials, but the server's access-control-allow-credentials header's value isn't set to true to enable their use.
... 55 access-control-allow-credentials access-control-allow-credentials, cors, http, reference, credentials, header the access-control-allow-credentials response header tells browsers whether to expose the response to frontend javascript code when the request's credentials mode (request.credentials) is include.
...And 6 more matches

Using Fetch - Web APIs
fetch won’t send cookies, unless you set the credentials init option.
...the spec changed the default credentials policy to same-origin.
... mode: 'cors', // no-cors, *cors, same-origin cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached credentials: 'same-origin', // include, *same-origin, omit headers: { 'content-type': 'application/json' // 'content-type': 'application/x-www-form-urlencoded', }, redirect: 'follow', // manual, *follow, error referrerpolicy: 'no-referrer', // no-referrer, *no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, un...
...And 4 more matches

PublicKeyCredentialCreationOptions - Web APIs
the publickeycredentialcreationoptions dictionary of the web authentication api holds options passed to navigators.credentials.create() in order to create a publickeycredential.
... publickeycredentialcreationoptions.excludecredentials optional an array of descriptors for existing credentials.
... this is provided by the relying party to avoid creating new public key credentials for an existing user who already have some.
...And 4 more matches

PublicKeyCredential.response - Web APIs
the response read-only property of the publickeycredential interface is an authenticatorresponse object which is sent from the authenticator to the user agent for the creation/fetching of credentials.
... an authenticatorresponse is either: an authenticatorattestationresponse (when the publickeycredential is created via credentialscontainer.create()) an authenticatorassertionresponse (when the publickeycredential is obtained via credentialscontainer.get()).
... in order to validate the creation of credentials, a relying party's server needs both: this response the extensions of the client (given by publickeycredential.getclientextensionresults()) to validate the demand.
...And 3 more matches

HTML attribute: crossorigin - HTML: Hypertext Markup Language
these attributes are enumerated, and have the following possible values: keyword description anonymous cors requests for this element will have the credentials flag set to 'same-origin'.
... use-credentials cors requests for this element will have the credentials flag set to 'include'.
...the "anonymous" keyword means that there will be no exchange of user credentials via cookies, client-side ssl certificates or http authentication as described in the terminology section of the cors specification, unless it is in the same origin.
...And 3 more matches

PublicKeyCredential - Web APIs
this identifier can be used to look up credentials for future calls to credentialscontainer.get.
...it is either of type authenticatorattestationresponse if the publickeycredential was the results of a navigator.credentials.create() call, or of type authenticatorassertionresponse if the publickeycredential was the result of a navigator.credentials.get() call.
... examples creating a new instance of publickeycredential here, we use navigator.credentials.create() to generate a new credential.
...And 2 more matches

PublicKeyCredentialRequestOptions - Web APIs
the publickeycredentialrequestoptions dictionary of the web authentication api holds the options passed to navigator.credentials.get() in order to fetch a given publickeycredential.
... publickeycredentialrequestoptions.allowcredentials optional an array of credentials descriptor which restricts the acceptable existing credentials for retrieval.
...dealing with legacy fido apis credentials, prompting a specific text on the authenticator, etc.).
...And 2 more matches

Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’ - HTTP
the cors request was attempted with the credentials flag set, but the server is configured using the wildcard ("*") as the value of access-control-allow-origin, which doesn't allow the use of credentials.
... to correct this problem on the client side, simply ensure that the credentials flag's value is false when issuing your cors request.
... if the request is being issued using xmlhttprequest, make sure you're not setting withcredentials to true.
...And 2 more matches

Website security - Learn web development
cross-site request forgery (csrf) csrf attacks allow a malicious user to execute actions using the credentials of another user without that user’s knowledge or consent.
... note: the trick here is that john doesn't need to have access to the user's cookies (or access credentials).
...this technique might be used, for example, to display a legitimate bank site but capture the login credentials into an invisible <iframe> controlled by the attacker.
...this ensures that login credentials, cookies, post requests data and header information are not easily available to attackers.

AuthenticatorAssertionResponse.userHandle - Web APIs
such an identifier can be used by the relying party's server to link the user account with its corresponding credentials and other data.
... note: an authenticatorassertionresponse instance is available on publickeycredential.response after calling navigator.credentials.get().
...username, e-mail, phone number, etc.) examples var options = { challenge: new uint8array(26), // will be another value, provided by the relying party server timeout: 60000 }; navigator.credentials.get({ publickey: options }) .then(function (assertionpkcred) { var userhandle = assertionpkcred.response.userhandle; // send response and client extensions to the server so that it can // go on with the authentication }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for acces...
...sing public key credentials level 1the definition of 'userhandle' in that specification.

HTMLImageElement.crossOrigin - Web APIs
permitted values are: anonymous requests by the <img> element have their mode set to cors and their credentials mode set to same-origin.
... this means that cors is enabled and credentials are sent if the image is fetched from the same origin from which the document was loaded.
... use-credentials requests by the htmlimageelement will use the cors mode and the include credentials mode; all image requests by the element will use cors, regardless of what domain the fetch is from.
... example in this example, a new <img> element is created and added to the document, loading the image with the anonymous state; the image will be loaded using cors and credentials will be used for all cross-origin loads.

PublicKeyCredentialCreationOptions.user - Web APIs
the user property of the publickeycredentialcreationoptions dictionary is an object describing the user account for which the credentials are generated (via navigator.credentials.create()).
...this an opaque identifier which can be used by the authenticator to link the user account with its corresponding credentials.
... this value will later be used when fetching the credentials in authenticatorassertionresponse.userhandle.
... name: "example corp", id : "login.example.com" }, user: { // to be changed for each user id: new uint8array.from(window.atob("laegmlkjnrlkgnamlafalfka="), c=>c.charcodeat(0)); name: "jdoe@example.com", displayname: "john doe", icon: "https://gravatar.com/avatar/jdoe.png" }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.credentials.create({ publickey }) .then(function (newcredentialinfo) { // send attestation response and client extensions // to the server to proceed with the registration // of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key credentials level 1...

Authorization - HTTP
the http authorization request header contains the credentials to authenticate a user agent with a server, usually, but not necessarily, after the server has responded with a 401 unauthorized status and the www-authenticate header.
... header type request header forbidden header name no syntax authorization: <type> <credentials> directives <type> authentication type.
...other types: iana registry of authentication schemes authentification for aws servers (aws4-hmac-sha256) <credentials> if the "basic" authentication scheme is used, the credentials are constructed like this: the username and the password are combined with a colon (aladdin:opensesame).
...this method is equally secure as sending the credentials in clear text (base64 is a reversible encoding).

Proxy-Authorization - HTTP
the http proxy-authorization request header contains the credentials to authenticate a user agent to a proxy server, usually after the server has responded with a 407 proxy authentication required status and the proxy-authenticate header.
... header type request header forbidden header name no syntax proxy-authorization: <type> <credentials> directives <type> authentication type.
... <credentials> the credentials are constructed like this: the username and the password are combined with a colon (aladdin:opensesame).
...this method is equally secure as sending the credentials in clear text (base64 is a reversible encoding).

How do you upload your files to a web server? - Learn web development
your account is: demozilla your website will be visible at demozilla.examplehostingprovider.net to publish to this account, please connect through sftp with the following credentials: sftp server: sftp://demozilla.examplehostingprovider.net username: demozilla password: quickbrownfox port: 5548 to publish on the web, put your files into the public/htdocs directory.
... user@ is the credentials of the user on the remote server you want to copy files over to.
... again, you would have to get the connection credentials from your hosting provider, but this way you'd have a gui to enter them in.

nsIMsgCloudFileProvider
void refreshuserinfo(in boolean awithui, in nsirequestobserver acallback); parameters awithui whether or not the provider should prompt the user for credentails in the event that the stored credentials have gone stale.
... if awithui is false, and the credentials are stale, the onstoprequest of the acallback nsirequestlistener will get the autherr status code passed to it.
... createexistingaccount() for an init'ed nsimsgcloudfileprovider, attempts to communicate with the service provider in order to get the proper credentials for starting uploads.

Console messages - Firefox Developer Tools
this is a security risk that allows user login credentials to be stolen.
...this is a security risk that allows user login credentials to be stolen.
...this is a security risk that allows user login credentials to be stolen.

AuthenticatorAssertionResponse.authenticatorData - Web APIs
this is only present during a navigator.credentials.create() call.
... examples var options = { challenge: new uint8array(26), // will be another value, provided by the relying party server timeout: 60000 }; navigator.credentials.get({ publickey: options }) .then(function (assertionpkcred) { var authenticatordata = assertionpkcred.response.authenticatordata; // maybe try to convert the authenticatordata to see what's inside // send response and client extensions to the server so that it can // go on with the authentication }).catch(function (err) { console.error(err); }); specifications ...
... specification status comment web authentication: an api for accessing public key credentials level 1the definition of 'authenticatordata' in that specification.

AuthenticatorAssertionResponse.signature - Web APIs
note: an authenticatorassertionresponse instance is available on publickeycredential.response after calling navigator.credentials.get().
... examples var options = { challenge: new uint8array(26), // will be another value, provided by the relying party server timeout: 60000 }; navigator.credentials.get({ publickey: options }) .then(function (assertionpkcred) { var signature = assertionpkcred.response.signature; // send response and client extensions to the server so that it can // go on with the authentication }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessi...
...ng public key credentials level 1the definition of 'signature' in that specification.

AuthenticatorAssertionResponse - Web APIs
the authenticatorassertionresponse interface of the web authentication api is returned by credentialscontainer.get() when a publickeycredential is passed, and provides proof to a service that it has a key pair and that the authentication request is valid and approved.
...the assertion signature is created with the private key of keypair that was created during the navigator.credentials.create() call and verified using the public key of that same keypair.
... examples var options = { challenge: new uint8array([/* bytes sent from the server */]) }; navigator.credentials.get({ "publickey": options }) .then(function (credentialinfoassertion) { var assertionresponse = credentialinfoassertion.response; // do something specific with the response // send assertion response back to the server // to proceed with the control of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key credentials level 1the definition of 'authenticatorassertionresponse interface' i...

AuthenticatorAttestationResponse.attestationObject - Web APIs
as part of the credentialscontainer.create() call, an authenticator will create a new keypair as well as an attestationobject for that keypair.
... examples var publickey = { challenge: /* from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(16), name: "jdoe@example.com", displayname: "john doe" }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.credentials.create({ publickey }) .then(function (newcredentialinfo) { var attestationobj = newcredentialinfo.response.attestationobject; // this will be a cbor encoded arraybuffer // do something with the response // (sending it back to the relying party server maybe?) }).catch(function (err) { console.error(err); }); specifications specification status comment ...
... web authentication: an api for accessing public key credentials level 1the definition of 'attestationobject' in that specification.

AuthenticatorResponse - Web APIs
authenticatorassertionresponse authenticatorattestationresponse properties authenticatorresponse.clientdatajson a json string in an arraybuffer, representing the client data that was passed to credentialscontainer.create() or credentialscontainer.get().
... examples getting an authenticatorassertionresponse var options = { challenge: new uint8array([/* bytes sent from the server */]) }; navigator.credentials.get({ "publickey": options }) .then(function (credentialinfoassertion) { var assertionresponse = credentialinfoassertion.response; // send assertion response back to the server // to proceed with the control of the credential }).catch(function (err) { console.error(err); }); getting an authenticatorattestationresponse var publickey = { challenge: /* from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(16), name: "jdoe@example.com", displayname: "john doe" }, pubkeycredparams: [ { type: "public-key", alg:...
... -7 } ] }; navigator.credentials.create({ publickey }) .then(function (newcredentialinfo) { var attestationresponse = newcredentialinfo.response; }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key credentials level 1the definition of 'authenticatorresponse interface' in that specification.

Fetch API - Web APIs
fetch() won’t send cookies, unless you set credentials: 'same-origin'.
... in august 2017, the spec changed the default credentials policy to 'same-origin'.
... if you are targetting older versions of these browsers, be sure to include credentials: 'same-origin' init option on all api requests that may be affected by cookies/user login state.

PublicKeyCredential.getClientExtensionResults() - Web APIs
during the creation or fetching of a publickeycredential (respectively via navigator.credentials.create() and navigator.credentials.get()), it is possible to have "custom" processing by the client for different extensions which are respectively given by publickeycredentialcreationoptions.extensions and publickeycredentialrequestoptions.extensions.
... // user verification index: how the user was verified }, challenge: new uint8array(16) /* from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(16) /* from the server */, name: "jdoe@example.com", displayname: "john doe" }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.credentials.create({ publickey }) .then(function (newcredentialinfo) { var mybuffer = newcredentialinfo.getclientextensionresults(); // mybuffer will contain the result of any of the processing of the "loc" and "uvi" extensions }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing...
... public key credentials level 1the definition of 'getclientextensionresults()' in that specification.

PublicKeyCredential.rawId - Web APIs
the rawid read-only property of the publickeycredential interface is an arraybuffer object containing the identifier of the credentials.
... syntax rawid = publickeycredential.rawid value a arraybuffer containing the identifier of the credentials.
... examples var options = { challenge: new uint8array(26) /* from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(26), /* to be changed for each user */ name: "jdoe@example.com", displayname: "john doe", }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.credentials.create({ publickey: options }) .then(function (pubkeycredential) { var rawid = pubkeycredential.rawid; // do something with rawid }).catch(function (err) { // deal with any error }); specifications specification status comment web authentication: an api for accessing public key credentials level 1the definition of 'rawid' in that specification.

PublicKeyCredentialCreationOptions.extensions - Web APIs
note: an analogous option exists for the fetching operation (navigators.credentials.get()), see publickeycredentialrequestoptions.extensions.
...e, uvm: false, exts: true }, challenge: new uint8array(26) /* this actually is given from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(26), /* to be changed for each user */ name: "jdoe@example.com", displayname: "john doe", }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.credentials.create({ publickey }) .then(function (newcredentialinfo) { // mybuffer will contain the result of any of the processing of the extensions var mybuffer = newcredentialinfo.getclientextensionresults(); // send attestation response and client extensions // to the server to proceed with the registration // of the credential }).catch(function (err) { console.error(err); ...
... }); specifications specification status comment web authentication: an api for accessing public key credentials level 1the definition of 'extensions' in that specification.

Request - Web APIs
request.context read only contains the context of the request (e.g., audio, image, iframe, etc.) request.credentials read only contains the credentials of the request (e.g., omit, same-origin, include).
... examples in the following snippet, we create a new request using the request() constructor (for an image file in the same directory as the script), then return some property values of the request: const request = new request('https://www.mozilla.org/favicon.ico'); const url = request.url; const method = request.method; const credentials = request.credentials; you could then fetch this request by passing the request object in as a parameter to a windoworworkerglobalscope.fetch() call, for example: fetch(request) .then(response => response.blob()) .then(blob => { image.src = url.createobjecturl(blob); }); in the following snippet, we create a new request using the request() constructor with some initial data and body...
... content for an api request which need a body payload: const request = new request('https://example.com', {method: 'post', body: '{"foo": "bar"}'}); const url = request.url; const method = request.method; const credentials = request.credentials; const bodyused = request.bodyused; note: the body type can only be a blob, buffersource, formdata, urlsearchparams, usvstring or readablestream type, so for adding a json object to the payload you need to stringify that object.

WindowOrWorkerGlobalScope.fetch() - Web APIs
credentials the request credentials you want to use for the request: omit, same-origin, or include.
... typeerror the specified url string includes user credentials.
... living standard initial definition credential management level 1 working draft adds federatedcredential or passwordcredential instance as a possible value for init.credentials.

Worklet.addModule() - Web APIs
options optional an object with any of the following options: credentials: a requestcredentials value that indicates whether to send credentials (e.g.
...see also request.credentials.
... examples audioworklet example const audioctx = new audiocontext(); const audioworklet = audioctx.audioworklet; await audioworklet.addmodule('modules/bypassfilter.js', { credentials: 'omit', }); paintworklet example css.paintworklet.addmodule('https://mdn.github.io/houdini-examples/csspaint/intro/worklets/hilite.js'); once a paintworklet is included, the css paint() function can be used to include the image created by the worklet: @supports (background-image: paint(id)) { h1 { background-image: paint(hollowhighlights, filled, 3px); } } specifications ...

<audio>: The Embed Audio element - HTML: Hypertext Markup Language
if the server does not give credentials to the origin site (by not setting the access-control-allow-origin: http header), the image will be tainted, and its usage restricted.
... use-credentials sends a cross-origin request with a credential.
...if the server does not give credentials to the origin site (through access-control-allow-credentials: http header), the image will be tainted and its usage restricted.

<img>: The Image Embed element - HTML: Hypertext Markup Language
allowed values: anonymous a cors request is sent with credentials omitted (that is, no cookies, x.509 certificates, or authorization request header).
... use-credentials the cors request is sent with any credentials included (that is, cookies, x.509 certificates, and the authorization request header).
... if the server does not opt into sharing credentials with the origin site (by sending back the access-control-allow-credentials: true response header), then the browser marks the image as tainted and restricts access to its image data.

<link>: The External Resource Link element - HTML: Hypertext Markup Language
if the server does not give credentials to the origin site (by not setting the access-control-allow-origin http header) the resource will be tainted and its usage restricted.
... use-credentials a cross-origin request (i.e.
...if the server does not give credentials to the origin site (through access-control-allow-credentials http header), the resource will be tainted and its usage restricted.

<video>: The Video Embed element - HTML: Hypertext Markup Language
if the server does not give credentials to the origin site (by not setting the access-control-allow-origin: http header), the image will be tainted, and its usage restricted.
... use-credentials sends a cross-origin request with a credential.
...if the server does not give credentials to the origin site (through access-control-allow-credentials: http header), the image will be tainted and its usage restricted.

Access-Control-Expose-Headers - HTTP
* (wildcard) the value "*" only counts as a special wildcard value for requests without credentials (requests without http cookies or http authentication information).
... in requests with credentials, it is treated as the literal header name "*" without special semantics.
... examples to expose a non-cors-safelisted request header, you can specify: access-control-expose-headers: content-length to additionally expose a custom header, like x-kuma-revision, you can specify multiple headers separated by a comma: access-control-expose-headers: content-length, x-kuma-revision in requests without credentials, you can also use a wildcard value: access-control-expose-headers: * however, this won't wildcard the authorization header, so if you need to expose that, you will need to list it explicitly: access-control-expose-headers: *, authorization specifications specification status comment fetchthe definition of 'access-control-expose-headers' in that specification.

Index - HTTP
7 access-control-allow-credentials cors, http, reference, header the access-control-allow-credentials response header tells browsers whether to expose the response to frontend javascript code when the request's credentials mode (request.credentials) is "include".
... 18 authorization http, http header, reference, request header, header the http authorization request header contains the credentials to authenticate a user agent with a server, usually after the server has responded with a 401 unauthorized status and the www-authenticate header.
... 90 proxy-authorization http, http header, reference, request header, header the http proxy-authorization request header contains the credentials to authenticate a user agent to a proxy server, usually after the server has responded with a 407 proxy authentication required status and the proxy-authenticate header.

HTTP headers - HTTP
authorization contains the credentials to authenticate a user-agent with a server.
... proxy-authorization contains the credentials to authenticate a user agent with a proxy server.
... access-control-allow-credentials indicates whether the response to the request can be exposed when the credentials flag is true.

jpm - Archive of obsolete content
to get values for --api-key and --api-secret, you will need to create api credentials on addons.mozilla.org.
...you should revoke and regenerate compromised api credentials immediately.

Downloading Files - Archive of obsolete content
lfprogress, acurtotalprogress, amaxtotalprogress) { var percentcomplete = math.round((acurtotalprogress / amaxtotalprogress) * 100); progresselement.textcontent = percentcomplete +"%"; }, onstatechange: function(awebprogress, arequest, astateflags, astatus) { // do something } } persist.saveuri(obj_uri, null, null, null, "", targetfile, privacy); downloading files that require credentials before calling nsiwebbrowserpersist.saveuri(), you need to set the progresslistener property of the nsiwebbrowserpersist instance to an object that implements nsiauthprompt.
... normally, nsiauthprompt expects a prompt to be displayed so the user can enter credentials, but you can return a username and password credentials directly without prompting the user.

Index - Archive of obsolete content
52 passwords add-on sdk interact with firefox's password manager to add, retrieve and remove stored credentials.
... 450 firefox accounts oauth dashboard authentication, firefox accounts, identity, mozilla, fxa fxa oauth credential management dashboard is a web application that lets you provision firefox accounts oauth credentials.

SQL Injection - MDN Web Docs Glossary: Definitions of Web-related terms
word, behind the gui the sql queries work as follows: "select count(*) from users where username=' " + txt.user.text+" ' and password=' "+ txt.password.text+" ' "; now suppose user enters the username: admin and password: passwd123, so after clicking on the log in button, sql query will run as follows: "select count(*) from users where username=' admin ' and password=' passwd123 ' "; if the credentials are correct, then the user is allowed to log in, so it's a very simple (and therefore insecure) mechanism.
... how to prevent before executing the queries for the user credentials, make some changes like the following: $id = $_get['id'] (1) $id = stripslashes($id) (2) $id = mysql_real_escape_string($id) so due to (1) each single quote (') in the input string is replaced with double quotes ("), and due to (2) before every (') it adds (/).

Integrated Authentication
so, it is paramount that the browser does not freely exchange ntlm user credentials with any server that requests them.
... the ntlm response includes a hash of the user's logon credentials.

Phishing: a short definition
the login portal might resemble the trusted website's login page very closely, and convince users to enter their credentials, letting others hijack their account.
...users look for these when logging in, and only enter their credentials when they recognize the user defined pictures or words.

NSS 3.51.1 release notes
notable changes in nss 3.51.1 bug 1617968 - update delegated credentials implementation to draft-07.
... bug 1617968 - update delegated credentials implementation to draft-07.

XPCOM Interface Reference by grouping
sagemanager nsiscriptableio nsixpcscriptable future nsixmlhttprequestupload obsolete nsixmlrpcclient nsixmlrpcfault security auth nsiauthmodule nsiauthprompt nsiauthpromptprovider nsiauthpromptwrapper nsiasyncverifyredirectcallback content nsicontentpolicy credentials nsilogininfo nsiloginmanager using nsiloginmanager nsiloginmanagerstorage nsiloginmetainfo history nsiglobalhistory nsiglobalhistory2 nsiglobalhistory3 ssl nsibadcertlistener2 system action nsicancelable application ...
... nsialertsservice nsiwebprogress nsiwebprogresslistener nsiwebprogresslistener2 update nsiupdate nsiupdatechecker nsiupdatechecklistener nsiupdateitem nsiupdatemanager nsiupdatepatch nsiupdateprompt nsiupdatetimermanager nsiprogramminglanguage thunderbird credentials nsimsgaccountmanagerextension element nsieditormailsupport message nsidbchangeannouncer nsidbchangelistener nsimessenger nsimsgcompfields nsimsgcustomcolumnhandler nsimsgdatabase nsimsgdbhdr nsimsgdbview nsimsgdbviewcommandupdater nsimsgfolder nsimsgidentity nsims...

AuthenticatorAttestationResponse.getTransports() - Web APIs
note: an authenticatorattestationresponse instance is available on publickeycredential.response after calling navigator.credentials.create().
... examples var publickey = { challenge: /* from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(16), name: "jdoe@example.com", displayname: "john doe" }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.credentials.create({ publickey }) .then(function (newcredentialinfo) { var transports = newcredentialinfo.response.gettransports(); console.table(transports); // may be something like ["internal", "nfc", "usb"] }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key crede...

AuthenticatorAttestationResponse - Web APIs
the authenticatorattestationresponse interface of the web authentication api is returned by credentialscontainer.create() when a publickeycredential is passed, and provides a cryptographic root of trust for the new key pair that has been generated.
... examples var publickey = { challenge: /* from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(16), name: "jdoe@example.com", displayname: "john doe" }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.credentials.create({ publickey }) .then(function (newcredentialinfo) { var response = newcredentialinfo.response; // do something with the response // (sending it back to the relying party server maybe?) }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key credenti...

AuthenticatorResponse.clientDataJSON - Web APIs
the clientdatajson property of the authenticatorresponse interface stores a json string in an arraybuffer, representing the client data that was passed to credentialscontainer.create() or credentialscontainer.get().
...clientdataobj = json.parse(clientdatastr); console.log(clientdataobj.type); // "webauthn.create" or "webauthn.get" console.log(clientdataobj.challenge); // base64 encoded string containing the original challenge console.log(clientdataobj.origin); // the window.origin specifications specification status comment web authentication: an api for accessing public key credentials level 1the definition of 'clientdatajson' in that specification.

EventSource - Web APIs
constructor eventsource() creates a new eventsource to handle receiving server-sent events from a specified url, optionally in credentials mode.
... eventsource.withcredentials read only a boolean indicating whether the eventsource object was instantiated with cross-origin (cors) credentials set (true), or not (false, the default).

FederatedCredential - Web APIs
the federatedcredential interface of the the credential management api provides information about credentials from a federated identity provider.
... examples var cred = new federatedcredential({ id: id, name: name, provider: 'https://account.google.com', iconurl: iconurl }); // store it navigator.credentials.store(cred) .then(function() { // do something else.

PasswordCredential - Web APIs
var form = document.queryselector('#form'); var creds = new passwordcredential(form); // store the credentials.
... navigator.credentials.store(creds) .then(function(creds) { // do something with the credentials if you need to.

PasswordCredential.additionalData - Web APIs
the data in the objects will be added to the request body and sent to the remote endpoint with the credentials.
...navigator.credentials.get(options).then(function(creds) { if (creds.type == 'password') { var form = new formdata(); var csrf_token = document.queryselector('csrf_token').value; form.append('csrf_token', csrf_token); creds.additionaldata = form; fetch('https://www.example.com', { method: 'post', credentials: creds }); }; }); specifications specification status ...

PasswordCredential - Web APIs
the data in the objects will be added to the request body and sent to the remote endpoint with the credentials.
... examples var cred = new passwordcredential({ id: id, password: password, name: name, iconurl: iconurl }); navigator.credentials.store(cred) .then(function() { // do something else.

Payment Request API - Web APIs
credentials management: users can manage their credit cards and shipping addresses directly in the browser.
... a browser can also sync these "credentials" across devices, making it easy for users to jump from desktop to mobile and back again when buying things.

PublicKeyCredential.id - Web APIs
mples var publickey = { challenge: new uint8array(26) /* this actually is given from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(26), /* to be changed for each user */ name: "jdoe@example.com", displayname: "john doe", }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.credentials.create({ publickey }) .then(function (newcredentialinfo) { var id = newcredentialinfo.id; // do something with the id // send attestation response and client extensions // to the server to proceed with the registration // of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment we...
...b authentication: an api for accessing public key credentials level 1the definition of 'id' in that specification.

PublicKeyCredentialCreationOptions.challenge - Web APIs
note: when the credential is retrieved with a navigator.credentials.get() call, the signature of the challenge is contained in authenticatorassertionresponse.signature.
...mples var publickey = { challenge: new uint8array(26) /* this actually is given from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(26), /* to be changed for each user */ name: "jdoe@example.com", displayname: "john doe", }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.credentials.create({ publickey }) .then(function (newcredentialinfo) { // send attestation response and client extensions // to the server to proceed with the registration // of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key credentials level 1...

PublicKeyCredentialCreationOptions.rp - Web APIs
the rp property of the publickeycredentialcreationoptions dictionary is an object describing the relying party which requested the credential creation (via navigator.credentials.create()).
... examples var publickey = { challenge: /* from the server */, rp: { name: "example corp", id : "login.example.com", icon: "https://login.example.com/login.ico" }, user: { id: new uint8array(16), name: "jdoe@example.com", displayname: "john doe" }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.credentials.create({ publickey }) .then(function (newcredentialinfo) { // send attestation response and client extensions // to the server to proceed with the registration // of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key credentials level 1...

PublicKeyCredentialCreationOptions.timeout - Web APIs
note: an analogous option exists for the fetching operation (navigators.credentials.get()), see publickeycredentialrequestoptions.timeout.
... challenge: new uint8array(26) /* this actually is given from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(26), /* to be changed for each user */ name: "jdoe@example.com", displayname: "john doe", }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.credentials.create({ publickey }) .then(function (newcredentialinfo) { // send attestation response and client extensions // to the server to proceed with the registration // of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key credentials level 1...

PublicKeyCredentialRequestOptions.challenge - Web APIs
note: when the credential is created with a navigator.credentials.create() call, the signature of the challenge is contained within authenticatorattestationresponse.attestationobject.
... examples var options = { challenge: new uint8array([/* bytes sent from the server */]) }; navigator.credentials.get({ "publickey": options }) .then(function (credentialinfoassertion) { // send assertion response back to the server // to proceed with the control of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key credentials level 1the definition of...

PublicKeyCredentialRequestOptions.extensions - Web APIs
note: an analogous option exists for the creation operation (navigators.credentials.create()), see publickeycredentialcreationoptions.extensions.
... examples var options = { extensions: { uvm: true, loc: false, txauthsimple: "could you please verify yourself?" }, challenge: new uint8array([/* bytes sent from the server */]) }; navigator.credentials.get({ "publickey": options }) .then(function (credentialinfoassertion) { // send assertion response back to the server // to proceed with the control of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key credentials level 1the definition of...

PublicKeyCredentialRequestOptions.rpId - Web APIs
note: an analogous option exists for the creation operation (navigators.credentials.create()), see the id property of publickeycredentialcreationoptions.rp.
... examples var options = { challenge: new uint8array([/* bytes sent from the server */]), rpid: "example.com" // will only work if the current domain // is something like foo.example.com }; navigator.credentials.get({ "publickey": options }) .then(function (credentialinfoassertion) { // send assertion response back to the server // to proceed with the control of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key credentials level 1the definition of ...

PublicKeyCredentialRequestOptions.timeout - Web APIs
note: an analogous option exists for the creation operation (navigators.credentials.create()), see publickeycredentialcreationoptions.timeout.
... examples var options = { challenge: new uint8array([/* bytes sent from the server */]), timeout: 6000 // wait a minute for the fetching operation // and maybe fail if it takes longer }; navigator.credentials.get({ "publickey": options }) .then(function (credentialinfoassertion) { // send assertion response back to the server // to proceed with the control of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key credentials level 1the definition of ...

PublicKeyCredentialRequestOptions.userVerification - Web APIs
note: an analogous option exists for the creation operation (navigators.credentials.create()), see the userverification property of publickeycredentialcreationoptions.authenticatorselection.
... examples var options = { userverification: "preferred", challenge: new uint8array([/* bytes sent from the server */]), }; navigator.credentials.get({ "publickey": options }) .then(function (credentialinfoassertion) { // send assertion response back to the server // to proceed with the control of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key credentials level 1the definition of ...

RTCPeerConnection.createOffer() - Web APIs
this will cause the returned offer to have different credentials than those already in place.
...specify false to keep the same credentials and therefore not restart ice.

RTCPeerConnection.setConfiguration() - Web APIs
exceptions invalidaccesserror one or more of the urls specified in configuration.iceservers is a turn server, but complete login information is not provided (that is, either the rtciceserver.username or rtciceserver.credentials is missing).
... }] }; mypeerconnection.setconfiguration(restartconfig); mypeerconnection.createoffer({"icerestart": true}).then(function(offer) { return mypeerconnection.setlocaldescription(offer); }) .then(function() { // send the offer to the other peer using the signaling server }) .catch(reporterror); first, a new rtcconfiguration is created, restartconfig, specifying the new ice server and its credentials.

Request() - Web APIs
credentials: the request credentials you want to use for the request: omit, same-origin, or include.
... errors type description typeerror since firefox 43, request() will throw a typeerror if the url has credentials, such as http://user:password@example.com.

SharedWorker() - Web APIs
credentials: a domstring specifying the type of credentials to use for the worker.
...if not specified, or if type is classic, the default used is omit (no credentials required).

Attestation and Assertion - Web APIs
testation, the only option for android devices was to create android safetynet attestations fido u2f - security keys that implement the fido u2f standard use this format none - browsers may prompt users whether they want a site to be allowed to see their attestation data and/or may remove attestation data from the authenticator's response if the `attestation` parameter in `navigator.credentials.create()` is set to `none` the purpose of attestation is to cryptographically prove that a newly generated key pair came from a specific device.
...used by a service to give a scope to credentials.

Worker() - Web APIs
credentials: a domstring specifying the type of credentials to use for the worker.
...if not specified, or if type is classic, the default used is omit (no credentials required).

XMLHttpRequest() - Web APIs
const request = new xmlhttprequest(paramsdictionary); parameters (non-standard) objparameters there are two flags you can set: mozanon boolean: setting this flag to true will cause the browser not to expose the origin and user credentials when fetching resources.
...this can't be combined with sending cookies or other user credentials.

Reason: CORS header 'Access-Control-Allow-Origin' missing - HTTP
in addition, the wildcard only works for requests made with the crossorigin attribute set to anonymous, and it prevents sending credentials like cookies in requests.
... to allow any site to make cors requests without using the * wildcard (for example, to enable credentials), your server must read the value of the request's origin header and use that value to set access-control-allow-origin, and must also set a vary: origin header to indicate that some headers are being set dynamically depending on the origin.

Access-Control-Allow-Headers - HTTP
* (wildcard) the value "*" only counts as a special wildcard value for requests without credentials (requests without http cookies or http authentication information).
... in requests with credentials, it is treated as the literal header name "*" without special semantics.

Access-Control-Allow-Methods - HTTP
* (wildcard) the value "*" only counts as a special wildcard value for requests without credentials (requests without http cookies or http authentication information).
... in requests with credentials, it is treated as the literal method name "*" without special semantics.

Access-Control-Allow-Origin - HTTP
header type response header forbidden header name no syntax access-control-allow-origin: * access-control-allow-origin: <origin> access-control-allow-origin: null directives * for requests without credentials, the literal value "*" can be specified, as a wildcard; the value tells browsers to allow requesting code from any origin to access the resource.
... attempting to use the wildcard with credentials will result in an error.

Feature-Policy - HTTP
publickey-credentials-get controls whether the current document is allowed to use the web authentication api to retreive already stored public-key credentials, i.e.
... via navigator.credentials.get({publickey: ..., ...}).

Insecure passwords - Web security
if a website uses http instead of https, it is trivial to steal user information (such as their login credentials).
...web developers of the news site may be less motivated to secure their site and their user credentials.

Types of attacks - Web security
this can be used, for example, to steal login credentials or to get the user's unwitting permission to install a piece of malware.
... man-in-the-middle (mitm) a third party intercepts traffic between a web server and a client (browser), and impersonates the web server in order to capture data (such as login credentials or credit card information).

High-Level APIs - Archive of obsolete content
passwords interact with firefox's password manager to add, retrieve and remove stored credentials.

HTTP Class Overview - Archive of obsolete content
ttpchunkeddecoder owned by a transaction strips chunked transfer encoding nshttprequesthead owns a nshttpheaderarray knows how to fill a request buffer nshttpresponsehead owns a nshttpheaderarray knows how to parse response lines performs common header manipulations/calculations nshttpheaderarray stores http "<header>:<value>" pairs nshttpauthcache stores authentication credentials for http auth domains nshttpbasicauth implements nsihttpauthenticator generates basic auth credentials from user:pass nshttpdigestauth implements nsihttpauthenticator generates digest auth credentials from user:pass original document information author(s): darin fisher last updated date: august 5, 2002 copyright information: portions of this content are © 1998–2007 by indiv...

CORS - MDN Web Docs Glossary: Definitions of Web-related terms
access-control-allow-credentials indicates whether or not the response to the request can be exposed when the credentials flag is true.

Index - MDN Web Docs Glossary: Definitions of Web-related terms
challenge-response protocols are one way to fight against replay attacks where an attacker listens to the previous messages and resends them at a later time to get the same credentials as the original message.

Challenge-response authentication - MDN Web Docs Glossary: Definitions of Web-related terms
challenge-response protocols are one way to fight against replay attacks where an attacker listens to the previous messages and resends them at a later time to get the same credentials as the original message.

Setting up your own test automation environment - Learn web development
you just need to create your driver instance, but with a few more features specified, including the capabilities of the browser you want to test on, the address of the server, and the user credentials you need (if any) to access it.

mozbrowserusernameandpasswordrequired
the embedder is supposed to retrieve the necessary credentials, usually using a dialog or a database of username/passwords, and then call authenticate() or cancel() as appropriate.

SVN for Localizers
since you are writing to the repository here, you will be asked for your ldap login credentials.

NSS 3.45 release notes
notable changes in nss 3.45 bug 1540403 - implement delegated credentials (draft-ietf-tls-subcerts) this adds a new experimental function: ssl_delegatecredential note: in 3.45, selfserv does not yet support delegated credentials.

NSS 3.46 release notes
563258 - fips.sh fails due to non-existent "resp" directories bug 1561598 - remove -wmaybe-uninitialized warning in pqg.c bug 1560806 - increase softoken password max size to 500 characters bug 1568776 - output paths relative to repository in nss coverity bug 1453408 - modutil -changepw fails in fips mode if password is an empty string bug 1564727 - use a pss spki when possible for delegated credentials bug 1493916 - fix ppc64 inline assembler for clang bug 1561588 - remove -wmaybe-uninitialized warning in p7env.c bug 1561548 - remove -wmaybe-uninitialized warning in pkix_pl_ldapdefaultclient.c bug 1512605 - incorrect alert description after unencrypted finished msg bug 1564715 - read /proc/cpuinfo when at_hwcap2 returns 0 bug 1532194 - remove or fix -ddebug_$user from make builds bug 156...

NSS 3.52 release notes
bug 1617968 - update delegated credentials implementation to draft-07.

Secure Development Guidelines
in an unsigned int if the input doesn’t have to be > 512, cut it off there if the input should only be [a-za-z0-9], enforce it cross site scripting (xss) xss is a type of code injection attack typically occurs in web applications injection of arbitrary data into an html document from another site victim’s browser executes those html instructions could be used to steal user credentials think: webmail, online auction, cms, online banking...

imgILoader
loadflags aloadflags, in nsisupports cachekey, in imgirequest arequest, in nsichannelpolicy channelpolicy); imgirequest loadimagewithchannel(in nsichannel achannel, in imgidecoderobserver aobserver, in nsisupports cx, out nsistreamlistener alistener); boolean supportimagewithmimetype(in string mimetype); constants constant value description load_cors_anonymous 1 << 16 load_cors_use_credentials 1 << 17 methods loadimage() start the load and decode of an image.

imgIRequest
cors_anonymous 2 cors_use_credentials 3 methods cancelandforgetobserver() cancels this request as in nsirequest.cancel(); further, also nulls out decoderobserver so it gets no further notifications from us.

nsISocketProvider
anonymous_connect 1 << 1 when setting this flag, the socket will not apply any credentials when establishing a connection.

nsISocketTransport
anonymous_connect 1 when this flag is set, the socket will not apply any credentials when establishing a connection.

Document.execCommand() - Web APIs
clearauthenticationcache clears all authentication credentials from the cache.

EventSource() - Web APIs
the possible entries are: withcredentials, defaulting to false, indicating if cors should be set to include credentials.

Navigator - Web APIs
navigator.credentials returns the credentialscontainer interface which exposes methods to request credentials and notify the user agent when interesting events occur such as successful sign in or sign out.

PaymentResponse.complete() - Web APIs
var payment = new paymentrequest(supportedinstruments, details, options); payment.show().then(function(paymentresponse) { var fetchoptions = { method: 'post', credentials: include, body: json.stringify(paymentresponse) }; var serverpaymentrequest = new request('secure/payment/endpoint'); fetch(serverpaymentrequest, fetchoptions).then( response => { if (response.status < 400) { paymentresponse.complete("success"); } else { paymentresponse.complete("fail"); }; }).catch( reason => { paymentresponse.complete("fail"); }); }).ca...

Using the Payment Request API - Web APIs
in the following snippet we do just this — depending on whether the user can make a fast payment or needs to add payment credentials first, the title of the checkout button changes between "fast checkout with w3c" and "setup w3c checkout".

PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() - Web APIs
ed with the creation of a publickeycredential // with this authenticator } else { // use another kind of authenticator or a classical login/password // workflow } }).catch(function(err){ // something went wrong console.error(err); }); specifications specification status comment web authentication: an api for accessing public key credentials level 1the definition of 'isuserverifyingplatformauthenticatoravailable' in that specification.

PublicKeyCredentialCreationOptions.attestation - Web APIs
attestation: "indirect", challenge: new uint8array(26) /* this actually is given from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(26), /* to be changed for each user */ name: "jdoe@example.com", displayname: "john doe", }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.credentials.create({ publickey }) .then(function (newcredentialinfo) { // send attestation response and client extensions // to the server to proceed with the registration // of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key credentials level 1...

PublicKeyCredentialCreationOptions.authenticatorSelection - Web APIs
userverification: "required" }, challenge: new uint8array(26) /* this actually is given from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(26), /* to be changed for each user */ name: "jdoe@example.com", displayname: "john doe", }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.credentials.create({ publickey }) .then(function (newcredentialinfo) { // send attestation response and client extensions // to the server to proceed with the registration // of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key credentials level 1...

PublicKeyCredentialCreationOptions.pubKeyCredParams - Web APIs
ot, then we will fallback on an rsa algorithm { type: "public-key", alg: -37 } ], challenge: new uint8array(26) /* this actually is given from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(26), /* to be changed for each user */ name: "jdoe@example.com", displayname: "john doe", } }; navigator.credentials.create({ publickey }) .then(function (newcredentialinfo) { // send attestation response and client extensions // to the server to proceed with the registration // of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key credentials level 1...

RTCPeerConnection.restartIce() - Web APIs
restarting ice essentially resets ice so that it creates all new candidates using new credentials.

Using server-sent events - Web APIs
for example, assuming the client script is on example.com: const evtsource = new eventsource("//api.example.com/ssedemo.php", { withcredentials: true } ); once you've instantiated your event source, you can begin listening for messages from the server by attaching a handler for the message event: evtsource.onmessage = function(event) { const newelement = document.createelement("li"); const eventlist = document.getelementbyid("list"); newelement.innerhtml = "message: " + event.data; eventlist.appendchild(newelement); } this c...

XMLHttpRequest - Web APIs
xmlhttprequest.withcredentials is a boolean that indicates whether or not cross-site access-control requests should be made using credentials such as cookies or authorization headers.

Web APIs
canvaspattern canvasrenderingcontext2d caretposition channelmergernode channelsplitternode characterdata childnode client clients clipboard clipboardevent clipboarditem closeevent comment compositionevent constantsourcenode constrainboolean constraindomstring constraindouble constrainulong contentindex contentindexevent convolvernode countqueuingstrategy crashreportbody credential credentialscontainer crypto cryptokey cryptokeypair customelementregistry customevent d domconfiguration domerror domexception domhighrestimestamp domimplementation domimplementationlist domlocator dommatrix dommatrixreadonly domobject domparser dompoint dompointinit dompointreadonly domquad domrect domrectreadonly domstring domstringlist domstringmap domtimestamp domtokenlist domuserdata ...

<button>: The Button element - HTML: Hypertext Markup Language
use when the form contains information that shouldn’t be public, like login credentials.

CORS errors - HTTP
not http reason: cors header ‘access-control-allow-origin’ missing reason: cors header ‘access-control-allow-origin’ does not match ‘xyz’ reason: credential is not supported if the cors header ‘access-control-allow-origin’ is ‘*’ reason: did not find method in cors header ‘access-control-allow-methods’ reason: expected ‘true’ in cors header ‘access-control-allow-credentials’ reason: cors preflight channel did not succeed reason: invalid token ‘xyz’ in cors header ‘access-control-allow-methods’ reason: invalid token ‘xyz’ in cors header ‘access-control-allow-headers’ reason: missing token ‘xyz’ in cors header ‘access-control-allow-headers’ from cors preflight channel reason: multiple cors header ‘access-control-allow-origin’ not all...

Clear-Site-Data - HTTP
http authentication credentials are also cleared out.

401 Unauthorized - HTTP
the http 401 unauthorized client error status response code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource.

407 Proxy Authentication Required - HTTP
the http 407 proxy authentication required client error status response code indicates that the request has not been applied because it lacks valid authentication credentials for a proxy server that is between the browser and the server that can access the requested resource.

Grammar and types - JavaScript
// multiline strings `in javascript, template strings can run over multiple lines, but double and single quoted strings cannot.` // string interpolation var name = 'bob', time = 'today'; `hello ${name}, how are you ${time}?` // construct an http request prefix used to interpret the replacements and construction post`http://foo.org/bar?a=${a}&b=${b} content-type: application/json x-credentials: ${credentials} { "foo": ${foo}, "bar": ${bar}}`(myonreadystatechangehandler); you should use string literals unless you specifically need to use a string object.

Web app manifests
note: if the manifest requires credentials to fetch - the crossorigin attribute must be set to use-credentials, even if the manifest file is in the same origin as the current page.

Mixed content - Web security
malicious active content can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerabilities in the browser or its plugins, for example).

Secure contexts - Web security
get access to data such as user credentials.