- From: Kepeng Li <kepeng.lkp@alibaba-inc.com>
- Date: Thu, 27 Aug 2015 21:15:18 +0800
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <D2052E66.17FC7%kepeng.lkp@alibaba-inc.com>
Hello all, I want to initiate some discussions about an old thread, CSP Issue Tracker 68: http://www.w3.org/2011/webappsec/track/issues/68 This issue was raised By Haitao in 2014: https://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0015.html <https://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0015.html> Website always refer to third-party resources. When third-party resource was hacked, the server returns `401` HTTP header, then the browser will popup a window to let the user input user name and password, and the user may not know the username and password is needed by the third-party resource. Currently only Chrome will block this 401 HTTP authentication popup. Other browsers don’t. This causes inconsistent user experiences and introduces security risks. Can we have something in the CSP to block this ‚401‘ HTTP Authentication prompt? Then the browser sees this policy, when the resource require 401 auth, this request can be blocked. We received feedback from Anne: https://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0016.html Control over whether an authentication response causes a dialog is something we want to offer (perhaps also through CSP, makes sense). I'm not sure if we want to an authentication response to cause a network error. That seems like an orthogonal feature. The previous discussion minutes: http://www.w3.org/2014/10/27-webappsec-minutes.html#item11 We want to hear the group feedback, whether we should do this in CSP or we should do it by other standards? Thanks, Kind Regards Kepeng Li Alibaba Group
Received on Thursday, 27 August 2015 13:16:16 UTC