As I recall, we've tried to do this a few times in Chrome. We've had both
compatibility issues as well as security issues. Naively suppressing the
dialog makes it possible to brute-force username/password combinations (as
the user's never notified, and failures are distinguishable from successes
via any number of side-channels (nativeWidth, etc)).
+Tom, who knows more about the details than I do.
-mike
--
Mike West <mkwst@google.com>, @mikewest
Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
On Wed, Sep 9, 2015 at 10:02 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Wed, Sep 9, 2015 at 2:23 AM, Tanvi Vyas <tanvi@mozilla.com> wrote:
> > Are you sure Chrome blocks these requests? I believe they only block the
> > prompt from image subresources.
>
> I just went with what Kepeng was saying, but according to
> https://dump.testsuite.org/xhr/auth/img-auth.html Chrome does not even
> block those. Chrome does seem to block them for a 401 from
> importScripts() inside a worker, whereas Firefox will still prompt.
>
> So if this behavior is indeed needed for compatibility, perhaps we
> should consider a CSP policy of sorts that forbids spawning dialogs
> from such resources.
>
>
> --
> https://annevankesteren.nl/
>
>