- From: Tanvi Vyas <tanvi@mozilla.com>
- Date: Tue, 8 Sep 2015 17:23:55 -0700
- To: Anne van Kesteren <annevk@annevk.nl>, Kepeng Li <kepeng.lkp@alibaba-inc.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 9/5/15 8:41 AM, Anne van Kesteren wrote: > On Thu, Aug 27, 2015 at 3:15 PM, Kepeng Li <kepeng.lkp@alibaba-inc.com> wrote: >> Website always refer to third-party resources. When third-party resource was >> hacked, the server returns `401` HTTP header, then the browser will popup a >> window to let the user input user name and password, and the user may not >> know the username and password is needed by the third-party resource. >> >> Currently only Chrome will block this 401 HTTP authentication popup. Other >> browsers don’t. This causes inconsistent user experiences and introduces >> security risks. >> >> Can we have something in the CSP to block this ‚401‘ HTTP Authentication >> prompt? > Wouldn't it be better if other browsers followed what Chrome did here? > > Firefox tried to block basic auth prompts from cross origin subresources[1], but the fix didn't stick because of compatibility issues[2]. Are you sure Chrome blocks these requests? I believe they only block the prompt from image subresources. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=647010 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1197944
Received on Wednesday, 9 September 2015 00:24:28 UTC