What kind of header are we talking?

I want to insert the Authorization header. Please don't ask me why, it's a long and winded reason and we think our solution is that :-) but it is for working with an ISAPI filter that we have developped

Eric

According to all I have read about HTTP, it is the server that responds and the browser requests. The http request header is generated by the user-agent based on the browser's particulars. I know of no way to use JavaScript to modify the request header.

JavaScript can modify the meta tag http-equiv attributes of a document. I'm not sure if those attributes would make their way into a form's http request header. Perhaps someone can comment on that, if that's relevant to your application.

Further research makes it seem less likely that JavaScript can provide an Authorization header.

In HTTP there are Request headers generated by the client, Response headers generated by servers, and Entity headers associated with resources, usually pages.

It is the Entity header class that is addressed by the meta tags in an HTML page. Since client-side JavaScript only addresses the page, its effects wouldn't reach to the Request headers.

The inclusion of a Authorization header as part of a Request header is triggered by the server challenging an initial request with a WWW-Authenticate header. The receipt of the WWW-Authenticate header and the browser responding to it all reside out of JavaScript's domain.

Thanks. It seems bad news for us then. I imagine the only way forward would be either a Java applet or an ActiveX control then?

There is the XMLHttpRequest object (reasonably well-supported in modern browsers, and yes an ActiveX object in IE ). This has a method, setRequestHeader().

After searching under these terms, I found things like this:
[devx.com ]
I don't know whether this gets us anywhere.

Great thanks. This control is exactly what we need, thanks. This is also for Outool web access which does heavy use of that control so this is our solution. We'll try it and will let you know.

I'd be curious to know if it works, as the example appears to be setting an Entity header. So far I haven't found any reference to script manipulation of an Authorization header and I can imagine reasons why that would be restricted.

Yes it did work. Unfortunatelly this does not fit our problem, because the browser sends it when our form is up but not subsequent calls, presumably because it didn't get a WWW-Authenticate in the first place. We control the first page of the site but not subsequent ones so we can't put that JavaScript on them.

How about calling the subsequent pages into an iframe? If there are click events on the displayed page, it might be possible to trap them with a transparent overlay. It might get tricky, however, keeping the original page's functionality intact.

Once it is called on that first page, you should be able to then set the corresponding header at the server on the response to the request.

Perhaps the subsequent pages originate from a different domain, which would invalidate the original header. This could be a problem within one organization's site if you have something like [store.worldco.com...] and [catalog.worldco.com....] The behaviour is valid, however, since authentication spoofing could create a security nightmare. For that reason, I'm really surprised it's under the script's control at all.