W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: CSP 401 Issue

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Tue, 8 Sep 2015 17:23:55 -0700
To: Anne van Kesteren <annevk@annevk.nl>, Kepeng Li <kepeng.lkp@alibaba-inc.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <55EF7C1B.6010100@mozilla.com>
On 9/5/15 8:41 AM, Anne van Kesteren wrote:
> On Thu, Aug 27, 2015 at 3:15 PM, Kepeng Li <kepeng.lkp@alibaba-inc.com> wrote:
>> Website always refer to third-party resources. When third-party resource was
>> hacked, the server returns `401` HTTP header, then the browser will popup a
>> window to let the user input user name and password, and the user may not
>> know the username and password is needed by the third-party resource.
>>
>> Currently only Chrome will block this 401 HTTP authentication popup. Other
>> browsers don’t. This causes inconsistent user experiences and introduces
>> security risks.
>>
>> Can we have something in the CSP to block this ‚401‘ HTTP Authentication
>> prompt?
> Wouldn't it be better if other browsers followed what Chrome did here?
>
>
Firefox tried to block basic auth prompts from cross origin 
subresources[1], but the fix didn't stick because of compatibility 
issues[2].

Are you sure Chrome blocks these requests?  I believe they only block 
the prompt from image subresources.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=647010
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1197944
Received on Wednesday, 9 September 2015 00:24:28 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC