- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Sat, 5 Sep 2015 17:41:04 +0200
- To: Kepeng Li <kepeng.lkp@alibaba-inc.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Aug 27, 2015 at 3:15 PM, Kepeng Li <kepeng.lkp@alibaba-inc.com> wrote: > Website always refer to third-party resources. When third-party resource was > hacked, the server returns `401` HTTP header, then the browser will popup a > window to let the user input user name and password, and the user may not > know the username and password is needed by the third-party resource. > > Currently only Chrome will block this 401 HTTP authentication popup. Other > browsers don’t. This causes inconsistent user experiences and introduces > security risks. > > Can we have something in the CSP to block this ‚401‘ HTTP Authentication > prompt? Wouldn't it be better if other browsers followed what Chrome did here? -- https://annevankesteren.nl/
Received on Saturday, 5 September 2015 15:41:29 UTC