- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 14 Mar 2013 15:59:33 +0000
- To: WHATWG <whatwg@whatwg.org>
So if the server replies with status 401 and a WWW-Authenticate header that is properly formatted (I did not do detailed syntax checks but e.g. WWW-Authenticate: basicerror does not work) is present, we prompt the user. We do this for <img>, <script>, new Worker(), XMLHttpRequest, workers' importScripts() (including shared workers!), ... We do not prompt for cross-origin requests when CORS is opted into. Is there anything we should do here? Prompting the end user for requests they did not explicitly initiate via navigation seems very confusing. On the other hand maybe creating a divergence here is not worth it at this point. -- http://annevankesteren.nl/
Received on Thursday, 14 March 2013 16:00:05 UTC