"This great technology" is no different in a browser than a fat client, except that in a fat client app you sometimes have to do some work that the browser might be doing for you with some options set up, etc. Usually even in the browser those options can be locked down and then you have to do the same work in script coming from the browser. So I wouldn't separate the two, personally.

And pardon me but it's in use in corporate environments all over the place.

I can't tell you for sure what your problem is, and I understand that you are accessing non-passworded external resources. However, if the corporate domain has policies in place limiting some users' access to the internet, then they do.

This can be done for a lot of reasons. In some places some specific users are just "not allowed to browse", in others there are extra levels of virus-watching software etc, making sure that something isn't using the logged-in user's identity unawares to accomplish other internet-accessing tasks.

The first thing to find out is whether there's a proxy in place of some sort. IAC, just because the internet sites you're accessing are public doesn't mean that credentials don't have to be submitted before the request is let out of the house into the wacky world out there.

It should be possible to surmount this, but it probably won't be easy, and some (network admins) will tell you that's by design. It doesn't mean that there is something wrong with the technology that you have to learn more and write more code to handle things securely, it's just the way life has to be.

In the meantime, the first thing you need to do in any corporate environment is to make friends with the above-mentioned network admins and find out exactly what policies, security software, domain rules, etc they have in place. Then you look for how to address those requirements correctly. It's not voodoo, and it's not "one size fits all".

It's best not to look for a solution to somehow circumvent all the security levels and layers. Even when you can do this, all that means is a security hole that should eventually be plugged, and will be as soon as enough people figure it out.

I guess it's possible that you've hit a combination of factors nobody has ever seen before with your use of the http request objs, and sure it's possible you have found a bug. But the former is unlikely and the latter is possibly addressed by knowing exactly what security rules and software you're dealing with.

>L<