- From: Robin Berjon <robin@w3.org>
- Date: Thu, 14 Mar 2013 16:34:52 +0000
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WHATWG <whatwg@whatwg.org>
On 14/03/2013 15:59 , Anne van Kesteren wrote: > So if the server replies with status 401 and a WWW-Authenticate header > that is properly formatted (I did not do detailed syntax checks but > e.g. WWW-Authenticate: basicerror does not work) is present, we prompt > the user. We do this for <img>, <script>, new Worker(), > XMLHttpRequest, workers' importScripts() (including shared workers!), > ... > > We do not prompt for cross-origin requests when CORS is opted into. > > Is there anything we should do here? Prompting the end user for > requests they did not explicitly initiate via navigation seems very > confusing. On the other hand maybe creating a divergence here is not > worth it at this point. People who don't rely on this will never have their users see the prompts, so it's hardly harming them. People who *do* rely on this (assuming they exist — in this case they probably do somewhere) will find their services broken if we change it. So on the face of things, I get the impression that there's zero cost in keeping things the way they are, and risk in changing them. I think that the lack of interoperability, and the complete inanity of prompting in browsers where it happens, is more problematic in the case of unsafe redirects. -- Robin Berjon - http://berjon.com/ - @robinberjon
Received on Thursday, 14 March 2013 16:35:29 UTC