- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Sat, 9 Aug 2014 12:42:00 +0200
- To: Hatter Jiang <jht5945@gmail.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Fri, Aug 8, 2014 at 3:04 PM, Hatter Jiang <jht5945@gmail.com> wrote: > <img src="http://www.example.com/cookie-mapping-pixel.jpg?cookie-id=123456"> > > But when `www.example.com` was hacked, the server return `401` HTTP header, > then the browser will popup a window let the user input username and > password, and the user may not know the username and password is needed by > `www.example.com` not from your website.In our website, we never use 401 > auth. > > So can we add the CSP like: > > http-auth: block; > > Then the browser see this policy, when the resource require 401 auth, this > request can be blocked. > > I think many sites need feature like this. Control over whether an authentication response causes a dialog is something we want to offer (perhaps also through CSP, makes sense). I'm not sure if we want to an authentication response to cause a network error. That seems like an orthogonal feature. -- http://annevankesteren.nl/
Received on Saturday, 9 August 2014 10:42:27 UTC