- From: Kepeng Li <kepeng.lkp@alibaba-inc.com>
- Date: Thu, 10 Sep 2015 08:46:57 +0800
- To: Anne van Kesteren <annevk@annevk.nl>, Tanvi Vyas <tanvi@mozilla.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
> So if this behavior is indeed needed for compatibility, perhaps we > should consider a CSP policy of sorts that forbids spawning dialogs > from such resources. Yes, that is what I want to have in CSP to ensure the compatibility and consistent user experience. Kind Regards Kepeng ÔÚ 9/9/15 4:02 pm£¬ "Anne van Kesteren" <annevk@annevk.nl> дÈë: >On Wed, Sep 9, 2015 at 2:23 AM, Tanvi Vyas <tanvi@mozilla.com> wrote: >> Are you sure Chrome blocks these requests? I believe they only block >>the >> prompt from image subresources. > >I just went with what Kepeng was saying, but according to >https://dump.testsuite.org/xhr/auth/img-auth.html Chrome does not even >block those. Chrome does seem to block them for a 401 from >importScripts() inside a worker, whereas Firefox will still prompt. > >So if this behavior is indeed needed for compatibility, perhaps we >should consider a CSP policy of sorts that forbids spawning dialogs >from such resources. > > >-- >https://annevankesteren.nl/
Received on Thursday, 10 September 2015 00:47:37 UTC