[whatwg] Fetch: HTTP Authentication
robin at w3.org
Thu Mar 14 09:34:52 PDT 2013
On 14/03/2013 15:59 , Anne van Kesteren wrote:
> So if the server replies with status 401 and a WWW-Authenticate header
> that is properly formatted (I did not do detailed syntax checks but
> e.g. WWW-Authenticate: basicerror does not work) is present, we prompt
> the user. We do this for <img>, <script>, new Worker(),
> XMLHttpRequest, workers' importScripts() (including shared workers!),
> We do not prompt for cross-origin requests when CORS is opted into.
> Is there anything we should do here? Prompting the end user for
> requests they did not explicitly initiate via navigation seems very
> confusing. On the other hand maybe creating a divergence here is not
> worth it at this point.
People who don't rely on this will never have their users see the
prompts, so it's hardly harming them.
People who *do* rely on this (assuming they exist — in this case they
probably do somewhere) will find their services broken if we change it.
So on the face of things, I get the impression that there's zero cost in
keeping things the way they are, and risk in changing them.
I think that the lack of interoperability, and the complete inanity of
prompting in browsers where it happens, is more problematic in the case
of unsafe redirects.
Robin Berjon - http://berjon.com/ - @robinberjon
More information about the whatwg