W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2014

[CSP] prevent 401 attach

From: Hatter Jiang <jht5945@gmail.com>
Date: Fri, 8 Aug 2014 21:04:34 +0800
Message-ID: <CABp3Ti2a7qJDLZkYXnYbjtfTtNaNrrjWYP2poPYce-3+Rr0MCw@mail.gmail.com>
To: public-webappsec@w3.org
Website always will refer to third-party resource, like cookie mapping
pixel, code like below:

<img src="http://www.example.com/cookie-mapping-pixel.jpg?cookie-id=123456">

But when `www.example.com` was hacked, the server return `401` HTTP header,
then the browser will popup a window let the user input username and
password, and the user may not know the username and password is needed by `
www.example.com` not from your website.In our website, we never use 401

So can we add the CSP like:

*http-auth: block;*

Then the browser see this policy, when the resource require 401 auth, this
request can be blocked.

I think many sites need feature like this.

Hatter Jiang
Received on Friday, 8 August 2014 13:08:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:40 UTC