[whatwg] Fetch: HTTP Authentication

Anne van Kesteren annevk at annevk.nl
Thu Mar 14 09:57:50 PDT 2013

On Thu, Mar 14, 2013 at 4:34 PM, Robin Berjon <robin at w3.org> wrote:
> On 14/03/2013 15:59 , Anne van Kesteren wrote:
>> Is there anything we should do here? Prompting the end user for
>> requests they did not explicitly initiate via navigation seems very
>> confusing. On the other hand maybe creating a divergence here is not
>> worth it at this point.
> People who don't rely on this will never have their users see the prompts,
> so it's hardly harming them.
> People who *do* rely on this (assuming they exist — in this case they
> probably do somewhere) will find their services broken if we change it. So
> on the face of things, I get the impression that there's zero cost in
> keeping things the way they are, and risk in changing them.

Sure, I meant for new contexts and maybe some existing contexts, such
as workers. Also, for shared workers it's not entirely clear which
browsing context you'd prompt in if an importScript() or same-origin
XMLHttpRequest happened.

> I think that the lack of interoperability, and the complete inanity of
> prompting in browsers where it happens, is more problematic in the case of
> unsafe redirects.

There should simply be no prompting there, it makes no sense.


More information about the whatwg mailing list