W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: CSP 401 Issue

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 9 Sep 2015 13:33:31 +0200
Message-ID: <CADnb78iQoVyBfkSo-ur8tPObz=+41rOLLdCb2ykxjDy1SnBUhw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Thomas Sepez <tsepez@google.com>, Tanvi Vyas <tanvi@mozilla.com>, Kepeng Li <kepeng.lkp@alibaba-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Sep 9, 2015 at 12:35 PM, Mike West <mkwst@google.com> wrote:
> As I recall, we've tried to do this a few times in Chrome. We've had both
> compatibility issues as well as security issues. Naively suppressing the
> dialog makes it possible to brute-force username/password combinations (as
> the user's never notified, and failures are distinguishable from successes
> via any number of side-channels (nativeWidth, etc)).

Well, that's only the case if you supply a username and password
through the URL. The example I referenced is a URL without those that
results in challenge due to the 401. Making a distinction between the
two might be worthwhile. Though I'd imagine that if we have some CSP
directive it'd block both.

> +Tom, who knows more about the details than I do.

Received on Wednesday, 9 September 2015 11:33:57 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:51 UTC