- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Mon, 7 May 2012 21:30:43 +0200
On Mon, May 7, 2012 at 9:05 PM, Jonas Sicking <jonas at sicking.cc> wrote: > On Mon, May 7, 2012 at 8:59 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote: >> On 5/7/12 11:53 AM, Tab Atkins Jr. wrote: >>> Yes, definitely (unless you set .withCredentials on it or something, >>> like the XHR attribute). >> >> Hold on. ?If you _do_ set withCredentials, you should be required to pass >> the credentials in or something. ?Under no circumstances would prompting for >> credentials for a request associated with an already-unloaded page be OK >> from my point of view.... > > There seems to be some confusion here regarding how withCredentials > works. First of all withCredentials is a CORS thing. CORS requests > *never* pop up an authentication dialog. (There is also the question > of if we want to support CORS here, I suspect we do). > > But I totally agree with Boris that we can't ever pop up security > dialogs for a site that the user has left. I definitely agree that we never pop up an auth dialog for an unloadHandler request. That's just silly. If I'm understanding XHR's withCredentials flag, it just sends the *existing* ambient credentials, to apply against HTTP auth (along with cookies and such). It doesn't prompt you for anything if you don't already have ambient credentials for a given site, right? ~TJ
Received on Monday, 7 May 2012 12:30:43 UTC