W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: CSP 401 Issue

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 9 Sep 2015 10:02:28 +0200
Message-ID: <CADnb78i_4bRVZM0gjBvvBd7ujS6_DCz5fPR4QoeCTBjzXR2=ww@mail.gmail.com>
To: Tanvi Vyas <tanvi@mozilla.com>
Cc: Kepeng Li <kepeng.lkp@alibaba-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Sep 9, 2015 at 2:23 AM, Tanvi Vyas <tanvi@mozilla.com> wrote:
> Are you sure Chrome blocks these requests?  I believe they only block the
> prompt from image subresources.

I just went with what Kepeng was saying, but according to
https://dump.testsuite.org/xhr/auth/img-auth.html Chrome does not even
block those. Chrome does seem to block them for a 401 from
importScripts() inside a worker, whereas Firefox will still prompt.

So if this behavior is indeed needed for compatibility, perhaps we
should consider a CSP policy of sorts that forbids spawning dialogs
from such resources.


-- 
https://annevankesteren.nl/
Received on Wednesday, 9 September 2015 08:02:57 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC