Re: [whatwg/fetch] Block subresource requests whose URLs include credentials. (#465) from Mike West on 2017-01-24 (public-webapps-github@w3.org from January 2017)

From: Mike West <notifications@github.com>
Date: Tue, 24 Jan 2017 05:31:11 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/465/c274802877@github.com>

I'd suggest blocking those as well; they're included in the Chrome metric noted above, and they have similar properties from a security perspective. Basically, I think basic/digest auth is ~fine as a browser-mediated mechanism of allowing users to sign into sites and maintain state in some way. I think it's significantly less fine when the credentials are controlled by the page.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/465#issuecomment-274802877

Received on Tuesday, 24 January 2017 13:31:43 UTC