[whatwg] Fetch: HTTP Authentication

Anne van Kesteren annevk at annevk.nl
Thu Mar 14 08:59:33 PDT 2013

So if the server replies with status 401 and a WWW-Authenticate header
that is properly formatted (I did not do detailed syntax checks but
e.g. WWW-Authenticate: basicerror does not work) is present, we prompt
the user. We do this for <img>, <script>, new Worker(),
XMLHttpRequest, workers' importScripts() (including shared workers!),

We do not prompt for cross-origin requests when CORS is opted into.

Is there anything we should do here? Prompting the end user for
requests they did not explicitly initiate via navigation seems very
confusing. On the other hand maybe creating a divergence here is not
worth it at this point.


More information about the whatwg mailing list