W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2012

[whatwg] Declarative unload data

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 7 May 2012 23:25:17 -0700
Message-ID: <CA+c2ei-tBPqMm-K97fZ+GQrVk6_qmz0xTony-vS9NsBN6h8f6g@mail.gmail.com>
On Mon, May 7, 2012 at 12:30 PM, Tab Atkins Jr. <jackalmage at gmail.com> wrote:
> On Mon, May 7, 2012 at 9:05 PM, Jonas Sicking <jonas at sicking.cc> wrote:
>> On Mon, May 7, 2012 at 8:59 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
>>> On 5/7/12 11:53 AM, Tab Atkins Jr. wrote:
>>>> Yes, definitely (unless you set .withCredentials on it or something,
>>>> like the XHR attribute).
>>>
>>> Hold on. ?If you _do_ set withCredentials, you should be required to pass
>>> the credentials in or something. ?Under no circumstances would prompting for
>>> credentials for a request associated with an already-unloaded page be OK
>>> from my point of view....
>>
>> There seems to be some confusion here regarding how withCredentials
>> works. First of all withCredentials is a CORS thing. CORS requests
>> *never* pop up an authentication dialog. (There is also the question
>> of if we want to support CORS here, I suspect we do).
>>
>> But I totally agree with Boris that we can't ever pop up security
>> dialogs for a site that the user has left.
>
> I definitely agree that we never pop up an auth dialog for an
> unloadHandler request. ?That's just silly.
>
> If I'm understanding XHR's withCredentials flag, it just sends the
> *existing* ambient credentials, to apply against HTTP auth (along with
> cookies and such). ?It doesn't prompt you for anything if you don't
> already have ambient credentials for a given site, right?

Correct.

/ Jonas
Received on Monday, 7 May 2012 23:25:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:08 GMT