W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2013

Re: [whatwg] Fetch: HTTP Authentication

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 14 Mar 2013 16:57:50 +0000
Message-ID: <CADnb78hmdEyYwx40VofhFX8-bdvX_hk273jtXPRH29dMKq6oEw@mail.gmail.com>
To: Robin Berjon <robin@w3.org>
Cc: WHATWG <whatwg@whatwg.org>
On Thu, Mar 14, 2013 at 4:34 PM, Robin Berjon <robin@w3.org> wrote:
> On 14/03/2013 15:59 , Anne van Kesteren wrote:
>> Is there anything we should do here? Prompting the end user for
>> requests they did not explicitly initiate via navigation seems very
>> confusing. On the other hand maybe creating a divergence here is not
>> worth it at this point.
> People who don't rely on this will never have their users see the prompts,
> so it's hardly harming them.
> People who *do* rely on this (assuming they exist — in this case they
> probably do somewhere) will find their services broken if we change it. So
> on the face of things, I get the impression that there's zero cost in
> keeping things the way they are, and risk in changing them.

Sure, I meant for new contexts and maybe some existing contexts, such
as workers. Also, for shared workers it's not entirely clear which
browsing context you'd prompt in if an importScript() or same-origin
XMLHttpRequest happened.

> I think that the lack of interoperability, and the complete inanity of
> prompting in browsers where it happens, is more problematic in the case of
> unsafe redirects.

There should simply be no prompting there, it makes no sense.

Received on Thursday, 14 March 2013 16:58:22 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:20 UTC