W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: CSP 401 Issue

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sat, 5 Sep 2015 17:41:04 +0200
Message-ID: <CADnb78hNHK5RnBi8g2JgTYsK_szS0fEhY4wkAuiDigtyt+Zw-w@mail.gmail.com>
To: Kepeng Li <kepeng.lkp@alibaba-inc.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Aug 27, 2015 at 3:15 PM, Kepeng Li <kepeng.lkp@alibaba-inc.com> wrote:
> Website always refer to third-party resources. When third-party resource was
> hacked, the server returns `401` HTTP header, then the browser will popup a
> window to let the user input user name and password, and the user may not
> know the username and password is needed by the third-party resource.
> Currently only Chrome will block this 401 HTTP authentication popup. Other
> browsers don’t. This causes inconsistent user experiences and introduces
> security risks.
> Can we have something in the CSP to block this ‚401‘ HTTP Authentication
> prompt?

Wouldn't it be better if other browsers followed what Chrome did here?

Received on Saturday, 5 September 2015 15:41:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:51 UTC