Re: [CSP] prevent 401 attach

On Fri, Aug 8, 2014 at 3:04 PM, Hatter Jiang <> wrote:
> <img src="">
> But when `` was hacked, the server return `401` HTTP header,
> then the browser will popup a window let the user input username and
> password, and the user may not know the username and password is needed by
> `` not from your website.In our website, we never use 401
> auth.
> So can we add the CSP like:
> http-auth: block;
> Then the browser see this policy, when the resource require 401 auth, this
> request can be blocked.
> I think many sites need feature like this.

Control over whether an authentication response causes a dialog is
something we want to offer (perhaps also through CSP, makes sense).
I'm not sure if we want to an authentication response to cause a
network error. That seems like an orthogonal feature.


Received on Saturday, 9 August 2014 10:42:27 UTC