W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: CSP 401 Issue

From: Kepeng Li <kepeng.lkp@alibaba-inc.com>
Date: Sun, 06 Sep 2015 10:49:25 +0800
To: Anne van Kesteren <annevk@annevk.nl>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D211CA3F.1A098%kepeng.lkp@alibaba-inc.com>
> Wouldn't it be better if other browsers followed what Chrome did here?


Yes, but currently they don’t.

Kind Regards
Kepeng

在 5/9/15 11:41 pm, "Anne van Kesteren" <annevk@annevk.nl> 写入:

>On Thu, Aug 27, 2015 at 3:15 PM, Kepeng Li <kepeng.lkp@alibaba-inc.com>
>wrote:
>> Website always refer to third-party resources. When third-party
>>resource was
>> hacked, the server returns `401` HTTP header, then the browser will
>>popup a
>> window to let the user input user name and password, and the user may
>>not
>> know the username and password is needed by the third-party resource.
>>
>> Currently only Chrome will block this 401 HTTP authentication popup.
>>Other
>> browsers don’t. This causes inconsistent user experiences and introduces
>> security risks.
>>
>> Can we have something in the CSP to block this ‚401‘ HTTP Authentication
>> prompt?
>
>Wouldn't it be better if other browsers followed what Chrome did here?
>
>
>-- 
>https://annevankesteren.nl/
Received on Sunday, 6 September 2015 02:50:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC