W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

CSP 401 Issue

From: Kepeng Li <kepeng.lkp@alibaba-inc.com>
Date: Thu, 27 Aug 2015 21:15:18 +0800
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D2052E66.17FC7%kepeng.lkp@alibaba-inc.com>
Hello all,

I want to initiate some discussions about an old thread, CSP Issue Tracker
68:
http://www.w3.org/2011/webappsec/track/issues/68


This issue was raised By Haitao in 2014:
https://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0015.html
<https://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0015.html>
 
Website always refer to third-party resources. When third-party resource was
hacked, the server returns `401` HTTP header, then the browser will popup a
window to let the user input user name and password, and the user may not
know the username and password is needed by the third-party resource.


Currently only Chrome will block this 401 HTTP authentication popup. Other
browsers don’t. This causes inconsistent user experiences and introduces
security risks.


Can we have something in the CSP to block this ‚401‘ HTTP Authentication
prompt?


Then the browser sees this policy, when the resource require 401 auth, this
request can be blocked.
 
We received feedback from Anne:
https://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0016.html
 
Control over whether an authentication response causes a dialog is
something we want to offer (perhaps also through CSP, makes sense).
I'm not sure if we want to an authentication response to cause a
network error. That seems like an orthogonal feature.
 
The previous discussion minutes:
http://www.w3.org/2014/10/27-webappsec-minutes.html#item11


We want to hear the group feedback, whether we should do this in CSP or we
should do it by other standards?


Thanks,


Kind Regards
Kepeng Li
Alibaba Group
Received on Thursday, 27 August 2015 13:16:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC