- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 9 Sep 2015 10:02:28 +0200
- To: Tanvi Vyas <tanvi@mozilla.com>
- Cc: Kepeng Li <kepeng.lkp@alibaba-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Sep 9, 2015 at 2:23 AM, Tanvi Vyas <tanvi@mozilla.com> wrote: > Are you sure Chrome blocks these requests? I believe they only block the > prompt from image subresources. I just went with what Kepeng was saying, but according to https://dump.testsuite.org/xhr/auth/img-auth.html Chrome does not even block those. Chrome does seem to block them for a 401 from importScripts() inside a worker, whereas Firefox will still prompt. So if this behavior is indeed needed for compatibility, perhaps we should consider a CSP policy of sorts that forbids spawning dialogs from such resources. -- https://annevankesteren.nl/
Received on Wednesday, 9 September 2015 08:02:57 UTC