W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2013

Re: [whatwg] Fetch: HTTP Authentication

From: Robin Berjon <robin@w3.org>
Date: Thu, 14 Mar 2013 16:34:52 +0000
Message-ID: <5141FC2C.2010401@w3.org>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WHATWG <whatwg@whatwg.org>
On 14/03/2013 15:59 , Anne van Kesteren wrote:
> So if the server replies with status 401 and a WWW-Authenticate header
> that is properly formatted (I did not do detailed syntax checks but
> e.g. WWW-Authenticate: basicerror does not work) is present, we prompt
> the user. We do this for <img>, <script>, new Worker(),
> XMLHttpRequest, workers' importScripts() (including shared workers!),
> ...
>
> We do not prompt for cross-origin requests when CORS is opted into.
>
> Is there anything we should do here? Prompting the end user for
> requests they did not explicitly initiate via navigation seems very
> confusing. On the other hand maybe creating a divergence here is not
> worth it at this point.

People who don't rely on this will never have their users see the 
prompts, so it's hardly harming them.

People who *do* rely on this (assuming they exist — in this case they 
probably do somewhere) will find their services broken if we change it. 
So on the face of things, I get the impression that there's zero cost in 
keeping things the way they are, and risk in changing them.

I think that the lack of interoperability, and the complete inanity of 
prompting in browsers where it happens, is more problematic in the case 
of unsafe redirects.

-- 
Robin Berjon - http://berjon.com/ - @robinberjon
Received on Thursday, 14 March 2013 16:35:29 GMT

This archive was generated by hypermail 2.3.1 : Thursday, 14 March 2013 16:35:29 GMT