W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

crossorigin=anonymous and auth dialogs?

From: Eduardo' Vela <evn@google.com>
Date: Thu, 9 May 2013 19:05:55 -0700
Message-ID: <CAFswPa9Oi+R=6++zdBMXrJyCq9nApXLSwq-OWw-_O60+OA90Ww@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Question:
Should an <img> with crossorigin=anonymous pop out auth dialogs?

<img src="
http://0x.lv/xss.php?status=401&http_xss=WWW-Authenticate:%20Basic%20realm=%22Hola%22"
crossorigin="anonymous%0A">

References:
http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html#cors-settings-attribute

Answer:
No, I don't think it should, because then one of two things can happen:

   1. The user puts their credentials.
   2. The user cancels.

If (1) happens, then the request should fail and the image should be
tainted as if the response had no ACAO.
If (2) happens, and there was an ACAO, then it succeeds.

If the hosting page is saying they already want no credentials sent, then
it shouldn't include any (unless, well, there's one in the URL).

Also, my hidden agenda is that we could solve the super annoying 401 Auth
dialogs for phishing.

Greetings!!
Received on Friday, 10 May 2013 02:06:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC