- From: Hatter Jiang <jht5945@gmail.com>
- Date: Fri, 8 Aug 2014 21:04:34 +0800
- To: public-webappsec@w3.org
Received on Friday, 8 August 2014 13:08:43 UTC
Website always will refer to third-party resource, like cookie mapping pixel, code like below: <img src="http://www.example.com/cookie-mapping-pixel.jpg?cookie-id=123456"> But when `www.example.com` was hacked, the server return `401` HTTP header, then the browser will popup a window let the user input username and password, and the user may not know the username and password is needed by ` www.example.com` not from your website.In our website, we never use 401 auth. So can we add the CSP like: *http-auth: block;* Then the browser see this policy, when the resource require 401 auth, this request can be blocked. I think many sites need feature like this. Hatter Jiang
Received on Friday, 8 August 2014 13:08:43 UTC