W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2014

Re: [CSP] prevent 401 attach

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sat, 9 Aug 2014 12:42:00 +0200
Message-ID: <CADnb78id7URT0iLziRJwaqF=t6+VCzb7xwkfdtwyJBOyxqUg=w@mail.gmail.com>
To: Hatter Jiang <jht5945@gmail.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Fri, Aug 8, 2014 at 3:04 PM, Hatter Jiang <jht5945@gmail.com> wrote:
> <img src="http://www.example.com/cookie-mapping-pixel.jpg?cookie-id=123456">
>
> But when `www.example.com` was hacked, the server return `401` HTTP header,
> then the browser will popup a window let the user input username and
> password, and the user may not know the username and password is needed by
> `www.example.com` not from your website.In our website, we never use 401
> auth.
>
> So can we add the CSP like:
>
> http-auth: block;
>
> Then the browser see this policy, when the resource require 401 auth, this
> request can be blocked.
>
> I think many sites need feature like this.

Control over whether an authentication response causes a dialog is
something we want to offer (perhaps also through CSP, makes sense).
I'm not sure if we want to an authentication response to cause a
network error. That seems like an orthogonal feature.


-- 
http://annevankesteren.nl/
Received on Saturday, 9 August 2014 10:42:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:40 UTC