crossorigin=anonymous and auth dialogs? from Eduardo' Vela on 2013-05-10 (public-webappsec@w3.org from May 2013)

From: Eduardo' Vela <evn@google.com>
Date: Thu, 9 May 2013 19:05:55 -0700
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAFswPa9Oi+R=6++zdBMXrJyCq9nApXLSwq-OWw-_O60+OA90Ww@mail.gmail.com>

Question:
Should an <img> with crossorigin=anonymous pop out auth dialogs?

<img src="
http://0x.lv/xss.php?status=401&http_xss=WWW-Authenticate:%20Basic%20realm=%22Hola%22"
crossorigin="anonymous%0A">

References:
http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html#cors-settings-attribute

Answer:
No, I don't think it should, because then one of two things can happen:

   1. The user puts their credentials.
   2. The user cancels.

If (1) happens, then the request should fail and the image should be
tainted as if the response had no ACAO.
If (2) happens, and there was an ACAO, then it succeeds.

If the hosting page is saying they already want no credentials sent, then
it shouldn't include any (unless, well, there's one in the URL).

Also, my hidden agenda is that we could solve the super annoying 401 Auth
dialogs for phishing.

Greetings!!

Received on Friday, 10 May 2013 02:06:44 UTC