[whatwg] Declarative unload data

Tab Atkins Jr. jackalmage at gmail.com
Mon May 7 12:30:43 PDT 2012


On Mon, May 7, 2012 at 9:05 PM, Jonas Sicking <jonas at sicking.cc> wrote:
> On Mon, May 7, 2012 at 8:59 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
>> On 5/7/12 11:53 AM, Tab Atkins Jr. wrote:
>>> Yes, definitely (unless you set .withCredentials on it or something,
>>> like the XHR attribute).
>>
>> Hold on.  If you _do_ set withCredentials, you should be required to pass
>> the credentials in or something.  Under no circumstances would prompting for
>> credentials for a request associated with an already-unloaded page be OK
>> from my point of view....
>
> There seems to be some confusion here regarding how withCredentials
> works. First of all withCredentials is a CORS thing. CORS requests
> *never* pop up an authentication dialog. (There is also the question
> of if we want to support CORS here, I suspect we do).
>
> But I totally agree with Boris that we can't ever pop up security
> dialogs for a site that the user has left.

I definitely agree that we never pop up an auth dialog for an
unloadHandler request.  That's just silly.

If I'm understanding XHR's withCredentials flag, it just sends the
*existing* ambient credentials, to apply against HTTP auth (along with
cookies and such).  It doesn't prompt you for anything if you don't
already have ambient credentials for a given site, right?

~TJ



More information about the whatwg mailing list