[whatwg] Fetch: HTTP Authentication

Robin Berjon robin at w3.org
Thu Mar 14 09:34:52 PDT 2013

On 14/03/2013 15:59 , Anne van Kesteren wrote:
> So if the server replies with status 401 and a WWW-Authenticate header
> that is properly formatted (I did not do detailed syntax checks but
> e.g. WWW-Authenticate: basicerror does not work) is present, we prompt
> the user. We do this for <img>, <script>, new Worker(),
> XMLHttpRequest, workers' importScripts() (including shared workers!),
> ...
> We do not prompt for cross-origin requests when CORS is opted into.
> Is there anything we should do here? Prompting the end user for
> requests they did not explicitly initiate via navigation seems very
> confusing. On the other hand maybe creating a divergence here is not
> worth it at this point.

People who don't rely on this will never have their users see the 
prompts, so it's hardly harming them.

People who *do* rely on this (assuming they exist — in this case they 
probably do somewhere) will find their services broken if we change it. 
So on the face of things, I get the impression that there's zero cost in 
keeping things the way they are, and risk in changing them.

I think that the lack of interoperability, and the complete inanity of 
prompting in browsers where it happens, is more problematic in the case 
of unsafe redirects.

Robin Berjon - http://berjon.com/ - @robinberjon

More information about the whatwg mailing list