[whatwg] Fetch: HTTP Authentication

Glenn Maynard glenn at zewt.org
Thu Mar 14 10:05:16 PDT 2013

On Thu, Mar 14, 2013 at 11:34 AM, Robin Berjon <robin at w3.org> wrote:

> People who don't rely on this will never have their users see the prompts,
> so it's hardly harming them.

It harmed me slightly just a couple days ago.  I moved a page that makes an
XHR request from one server to another.  The XHR request on the new server
accidentally pointed to an unrelated resource that was password-protected.
 When I loaded the page, I got a password prompt for a resource I
absolutely knew didn't require a password, which, until I figured out what
was going on, made me worry that my server had been compromised or that
some kind of MITM was taking place.

I don't know if it's possible or impossible to change this (probably not,
at least for XHR initiated from the UI thread), or if it's worth trying,
but weird behavior is always harmful, and XHR causing user prompting is
definitely weird.  There definitely shouldn't be prompting for anything
taking place in a worker.

Glenn Maynard

More information about the whatwg mailing list