- From: Kepeng Li <kepeng.lkp@alibaba-inc.com>
- Date: Sun, 06 Sep 2015 10:49:25 +0800
- To: Anne van Kesteren <annevk@annevk.nl>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
> Wouldn't it be better if other browsers followed what Chrome did here? Yes, but currently they don’t. Kind Regards Kepeng 在 5/9/15 11:41 pm, "Anne van Kesteren" <annevk@annevk.nl> 写入: >On Thu, Aug 27, 2015 at 3:15 PM, Kepeng Li <kepeng.lkp@alibaba-inc.com> >wrote: >> Website always refer to third-party resources. When third-party >>resource was >> hacked, the server returns `401` HTTP header, then the browser will >>popup a >> window to let the user input user name and password, and the user may >>not >> know the username and password is needed by the third-party resource. >> >> Currently only Chrome will block this 401 HTTP authentication popup. >>Other >> browsers don’t. This causes inconsistent user experiences and introduces >> security risks. >> >> Can we have something in the CSP to block this ‚401‘ HTTP Authentication >> prompt? > >Wouldn't it be better if other browsers followed what Chrome did here? > > >-- >https://annevankesteren.nl/
Received on Sunday, 6 September 2015 02:50:07 UTC