undefined | Better HN

0 pointspaulgb2y ago0 comments

For better or worse, basic auth in the URL isn't really an option any more, (e.g. see https://stackoverflow.com/a/57193064). I think the issue was that it reveals the secret to anyone who can see the URL bar, but the alternative we got still has that problem and also has the problem that the secret is no longer separable from the resource identifier.

0 comments

thayne2y ago

The browser could hide the secret after it is entered.

paulgbOP2y ago

Yeah, and it would still be useful for queries that never appear in the URL bar (like EventSource and WebSocket, where setting an Authorization header is not something that’s exposed by the browser)

j / k navigate · click thread line to collapse

0 pointspaulgb2y ago0 comments

0 comments

thayne2y ago

The browser could hide the secret after it is entered.

paulgbOP2y ago

j / k navigate · click thread line to collapse