W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: CSP 401 Issue

From: Kepeng Li <kepeng.lkp@alibaba-inc.com>
Date: Thu, 10 Sep 2015 08:46:57 +0800
To: Anne van Kesteren <annevk@annevk.nl>, Tanvi Vyas <tanvi@mozilla.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D216F3A0.1ACC2%kepeng.lkp@alibaba-inc.com>
> So if this behavior is indeed needed for compatibility, perhaps we
> should consider a CSP policy of sorts that forbids spawning dialogs
> from such resources.


Yes, that is what I want to have in CSP to ensure the compatibility and
consistent user experience.

Kind Regards
Kepeng

 9/9/15 4:02 pm "Anne van Kesteren" <annevk@annevk.nl> д:

>On Wed, Sep 9, 2015 at 2:23 AM, Tanvi Vyas <tanvi@mozilla.com> wrote:
>> Are you sure Chrome blocks these requests?  I believe they only block
>>the
>> prompt from image subresources.
>
>I just went with what Kepeng was saying, but according to
>https://dump.testsuite.org/xhr/auth/img-auth.html Chrome does not even
>block those. Chrome does seem to block them for a 401 from
>importScripts() inside a worker, whereas Firefox will still prompt.
>
>So if this behavior is indeed needed for compatibility, perhaps we
>should consider a CSP policy of sorts that forbids spawning dialogs
>from such resources.
>
>
>-- 
>https://annevankesteren.nl/
Received on Thursday, 10 September 2015 00:47:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC