W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2013

Re: [whatwg] Fetch: HTTP Authentication

From: Glenn Maynard <glenn@zewt.org>
Date: Thu, 14 Mar 2013 12:05:16 -0500
Message-ID: <CABirCh89uxJAthNCzq4YAyh+aQO75SayKS_jHGrS_64tiFj=fg@mail.gmail.com>
To: Robin Berjon <robin@w3.org>
Cc: WHATWG <whatwg@whatwg.org>
On Thu, Mar 14, 2013 at 11:34 AM, Robin Berjon <robin@w3.org> wrote:

> People who don't rely on this will never have their users see the prompts,
> so it's hardly harming them.

It harmed me slightly just a couple days ago.  I moved a page that makes an
XHR request from one server to another.  The XHR request on the new server
accidentally pointed to an unrelated resource that was password-protected.
 When I loaded the page, I got a password prompt for a resource I
absolutely knew didn't require a password, which, until I figured out what
was going on, made me worry that my server had been compromised or that
some kind of MITM was taking place.

I don't know if it's possible or impossible to change this (probably not,
at least for XHR initiated from the UI thread), or if it's worth trying,
but weird behavior is always harmful, and XHR causing user prompting is
definitely weird.  There definitely shouldn't be prompting for anything
taking place in a worker.

Glenn Maynard
Received on Thursday, 14 March 2013 17:05:46 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:56 UTC