Re: [webkit-dev] Do we need a "webkitBackground" property for XMLHttpRequest?
https://developer.mozilla.org/en/XmlHttpRequest#Non-standard_propertiessays that elevated privileges are required to access mozBackgroundRequest. That suggests that it is only there for use by Firefox and Firefox extensions. At the very least, it seems like in Chromium, if we cannot suppress auth prompts generated from XHR in all cases, we could / should at least suppress them for XHR requests made by extensions. Regards, -Darin On Tue, Jul 24, 2012 at 2:47 AM, xuewen wrote: > > When we send XMLHttpRequest to access search engines or it is sent from > chrome extensions, we may do/don't want the browser to show the > authentication challenge dialog. Should we provide a property to give a > choice to users such as the "webkitBackground"? > > Please see the bug https://bugs.webkit.org/show_bug.cgi?id=91964 > > If we totally disable XHR popping up the challenge dialogs, then how can > the user request the resource using XHR from the sites across origins and > requiring authentications? Or will this operation be disallowed in the > future? > > One way is to show a form by javascript to ask for the credentials in > its "onReadyStatusChange" and resend it by XHR. Is this the reason to > totally disable the XHR popping up challenge dialogs? > > Sean Wang > > ___ > webkit-dev mailing list > webkit-dev@lists.webkit.org > http://lists.webkit.org/mailman/listinfo/webkit-dev > > ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Do we need a "webkitBackground" property for XMLHttpRequest?
> From: aba...@gmail.com [aba...@gmail.com] on behalf of Adam Barth > [aba...@webkit.org] > > There is no such thing as "pushing to trunk" for Chromium. All > development happens on trunk. That sounds like a regression. I'll > follow up with the networking folks. Thanks! Mind keeping us up to date on what you find out? Joe - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Do we need a "webkitBackground" property for XMLHttpRequest?
There is no such thing as "pushing to trunk" for Chromium. All development happens on trunk. That sounds like a regression. I'll follow up with the networking folks. Thanks for checking! Adam On Wed, Jul 25, 2012 at 12:57 AM, xuewen wrote: > As I tested, the chromium Version 22.0.1217.0 (148296) shows auth dialogs > for both XHR and sub-resources. Perhaps the changing has not been pushed to > trunk !? > > On 07/25/2012 12:58 AM, Adam Barth wrote: > > On Tue, Jul 24, 2012 at 9:28 AM, xuewen.wang > wrote: > > Do you know why the chromium has not cancel auth dialog for XHR? Is this > the main reason? > > The network stack folks did a round of removing auth dialogs for > subresources a while back. I'm not sure why they didn't remove the > dialog from XHR. It's possible they ran into compat trouble or that > it was an oversight. > > Adam > > > On 07/24/2012 11:52 PM, Brady Eidson wrote: > > On Jul 24, 2012, at 2:58 AM, Adam Barth wrote: > > I don't think we should add this property. Instead we should not ever > present HTTP auth dialogs for any requests other than the main > resource for the top-level frame. Presenting HTTP auth dialogs in > other contexts is a phishing risk. > > I think there are corporate/financial apps that would break if this was > policy. > > Thanks, > ~Brady > > Adam > > > On Tue, Jul 24, 2012 at 2:47 AM, xuewen > wrote: > > When we send XMLHttpRequest to access search engines or it is sent from > chrome extensions, we may do/don't want the browser to show the > authentication challenge dialog. Should we provide a property to give a > choice to users such as the "webkitBackground"? > > Please see the bug https://bugs.webkit.org/show_bug.cgi?id=91964 > > If we totally disable XHR popping up the challenge dialogs, then how can the > user request the resource using XHR from the sites across origins and > requiring authentications? Or will this operation be disallowed in the > future? > > One way is to show a form by javascript to ask for the credentials in its > "onReadyStatusChange" and resend it by XHR. Is this the reason to totally > disable the XHR popping up challenge dialogs? > > Sean Wang > > ___ > webkit-dev mailing list > webkit-dev@lists.webkit.org > http://lists.webkit.org/mailman/listinfo/webkit-dev > > . > > ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Do we need a "webkitBackground" property for XMLHttpRequest?
> From: webkit-dev-boun...@lists.webkit.org > [webkit-dev-boun...@lists.webkit.org] on behalf of Brady Eidson > [beid...@apple.com] > > I think there are corporate/financial apps that would break if this was > policy. Any idea which? Joe - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Do we need a "webkitBackground" property for XMLHttpRequest?
> From: webkit-dev-boun...@lists.webkit.org > [webkit-dev-boun...@lists.webkit.org] on behalf of Adam Barth > [aba...@webkit.org] > > The network stack folks did a round of removing auth dialogs for > subresources a while back. I'm not sure why they didn't remove the > dialog from XHR. It's possible they ran into compat trouble or that > it was an oversight. If they're not reading this thread, got a name I can contact directly? If there was compat trouble I'd like to document it. Joe - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Do we need a "webkitBackground" property for XMLHttpRequest?
As I tested, the chromium Version 22.0.1217.0 (148296) shows auth dialogs for both XHR and sub-resources. Perhaps the changing has not been pushed to trunk !? On 07/25/2012 12:58 AM, Adam Barth wrote: > On Tue, Jul 24, 2012 at 9:28 AM, xuewen.wang > wrote: >> Do you know why the chromium has not cancel auth dialog for XHR? Is this >> the main reason? > The network stack folks did a round of removing auth dialogs for > subresources a while back. I'm not sure why they didn't remove the > dialog from XHR. It's possible they ran into compat trouble or that > it was an oversight. > > Adam > > >> On 07/24/2012 11:52 PM, Brady Eidson wrote: >>> On Jul 24, 2012, at 2:58 AM, Adam Barth wrote: >>> I don't think we should add this property. Instead we should not ever present HTTP auth dialogs for any requests other than the main resource for the top-level frame. Presenting HTTP auth dialogs in other contexts is a phishing risk. >>> I think there are corporate/financial apps that would break if this was >>> policy. >>> >>> Thanks, >>> ~Brady >>> Adam On Tue, Jul 24, 2012 at 2:47 AM, xuewen wrote: > When we send XMLHttpRequest to access search engines or it is sent from > chrome extensions, we may do/don't want the browser to show the > authentication challenge dialog. Should we provide a property to give a > choice to users such as the "webkitBackground"? > > Please see the bug https://bugs.webkit.org/show_bug.cgi?id=91964 > > If we totally disable XHR popping up the challenge dialogs, then how can > the > user request the resource using XHR from the sites across origins and > requiring authentications? Or will this operation be disallowed in the > future? > > One way is to show a form by javascript to ask for the credentials in its > "onReadyStatusChange" and resend it by XHR. Is this the reason to totally > disable the XHR popping up challenge dialogs? > > Sean Wang ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo/webkit-dev >>> . >>> ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Do we need a "webkitBackground" property for XMLHttpRequest?
> From: webkit-dev-boun...@lists.webkit.org > [webkit-dev-boun...@lists.webkit.org] on behalf of Adam Barth > [aba...@webkit.org] > > > Do you know why the chromium has not cancel auth dialog for XHR? Is this > > the main reason? > > The network stack folks did a round of removing auth dialogs for > subresources a while back. I'm not sure why they didn't remove the > dialog from XHR. It's possible they ran into compat trouble or that > it was an oversight. There's an open Chromium issue on the subject at http://code.google.com/p/chromium/issues/detail?id=31582, BTW. Although now I look at it the suggestion to clone mozBackgroundRequest looks to have come from a random person who reported the bug, and not an actual Chromium dev. Joe - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Do we need a "webkitBackground" property for XMLHttpRequest?
On Tue, Jul 24, 2012 at 9:28 AM, xuewen.wang wrote: > Do you know why the chromium has not cancel auth dialog for XHR? Is this > the main reason? The network stack folks did a round of removing auth dialogs for subresources a while back. I'm not sure why they didn't remove the dialog from XHR. It's possible they ran into compat trouble or that it was an oversight. Adam > On 07/24/2012 11:52 PM, Brady Eidson wrote: >> On Jul 24, 2012, at 2:58 AM, Adam Barth wrote: >> >>> I don't think we should add this property. Instead we should not ever >>> present HTTP auth dialogs for any requests other than the main >>> resource for the top-level frame. Presenting HTTP auth dialogs in >>> other contexts is a phishing risk. >> I think there are corporate/financial apps that would break if this was >> policy. >> >> Thanks, >> ~Brady >> >>> Adam >>> >>> >>> On Tue, Jul 24, 2012 at 2:47 AM, xuewen >>> wrote: When we send XMLHttpRequest to access search engines or it is sent from chrome extensions, we may do/don't want the browser to show the authentication challenge dialog. Should we provide a property to give a choice to users such as the "webkitBackground"? Please see the bug https://bugs.webkit.org/show_bug.cgi?id=91964 If we totally disable XHR popping up the challenge dialogs, then how can the user request the resource using XHR from the sites across origins and requiring authentications? Or will this operation be disallowed in the future? One way is to show a form by javascript to ask for the credentials in its "onReadyStatusChange" and resend it by XHR. Is this the reason to totally disable the XHR popping up challenge dialogs? Sean Wang >>> ___ >>> webkit-dev mailing list >>> webkit-dev@lists.webkit.org >>> http://lists.webkit.org/mailman/listinfo/webkit-dev >> . >> > ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Do we need a "webkitBackground" property for XMLHttpRequest?
Adam: Do you know why the chromium has not cancel auth dialog for XHR? Is this the main reason? Sean Wang On 07/24/2012 11:52 PM, Brady Eidson wrote: > On Jul 24, 2012, at 2:58 AM, Adam Barth wrote: > >> I don't think we should add this property. Instead we should not ever >> present HTTP auth dialogs for any requests other than the main >> resource for the top-level frame. Presenting HTTP auth dialogs in >> other contexts is a phishing risk. > I think there are corporate/financial apps that would break if this was > policy. > > Thanks, > ~Brady > >> Adam >> >> >> On Tue, Jul 24, 2012 at 2:47 AM, xuewen >> wrote: >>> When we send XMLHttpRequest to access search engines or it is sent from >>> chrome extensions, we may do/don't want the browser to show the >>> authentication challenge dialog. Should we provide a property to give a >>> choice to users such as the "webkitBackground"? >>> >>> Please see the bug https://bugs.webkit.org/show_bug.cgi?id=91964 >>> >>> If we totally disable XHR popping up the challenge dialogs, then how can the >>> user request the resource using XHR from the sites across origins and >>> requiring authentications? Or will this operation be disallowed in the >>> future? >>> >>> One way is to show a form by javascript to ask for the credentials in its >>> "onReadyStatusChange" and resend it by XHR. Is this the reason to totally >>> disable the XHR popping up challenge dialogs? >>> >>> Sean Wang >> ___ >> webkit-dev mailing list >> webkit-dev@lists.webkit.org >> http://lists.webkit.org/mailman/listinfo/webkit-dev > . > ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Do we need a "webkitBackground" property for XMLHttpRequest?
On Jul 24, 2012, at 2:58 AM, Adam Barth wrote: > I don't think we should add this property. Instead we should not ever > present HTTP auth dialogs for any requests other than the main > resource for the top-level frame. Presenting HTTP auth dialogs in > other contexts is a phishing risk. I think there are corporate/financial apps that would break if this was policy. Thanks, ~Brady > > Adam > > > On Tue, Jul 24, 2012 at 2:47 AM, xuewen > wrote: >> >> When we send XMLHttpRequest to access search engines or it is sent from >> chrome extensions, we may do/don't want the browser to show the >> authentication challenge dialog. Should we provide a property to give a >> choice to users such as the "webkitBackground"? >> >> Please see the bug https://bugs.webkit.org/show_bug.cgi?id=91964 >> >> If we totally disable XHR popping up the challenge dialogs, then how can the >> user request the resource using XHR from the sites across origins and >> requiring authentications? Or will this operation be disallowed in the >> future? >> >> One way is to show a form by javascript to ask for the credentials in its >> "onReadyStatusChange" and resend it by XHR. Is this the reason to totally >> disable the XHR popping up challenge dialogs? >> >> Sean Wang > ___ > webkit-dev mailing list > webkit-dev@lists.webkit.org > http://lists.webkit.org/mailman/listinfo/webkit-dev ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Do we need a "webkitBackground" property for XMLHttpRequest?
I don't think we should add this property. Instead we should not ever present HTTP auth dialogs for any requests other than the main resource for the top-level frame. Presenting HTTP auth dialogs in other contexts is a phishing risk. Adam On Tue, Jul 24, 2012 at 2:47 AM, xuewen wrote: > > When we send XMLHttpRequest to access search engines or it is sent from > chrome extensions, we may do/don't want the browser to show the > authentication challenge dialog. Should we provide a property to give a > choice to users such as the "webkitBackground"? > > Please see the bug https://bugs.webkit.org/show_bug.cgi?id=91964 > > If we totally disable XHR popping up the challenge dialogs, then how can the > user request the resource using XHR from the sites across origins and > requiring authentications? Or will this operation be disallowed in the > future? > > One way is to show a form by javascript to ask for the credentials in its > "onReadyStatusChange" and resend it by XHR. Is this the reason to totally > disable the XHR popping up challenge dialogs? > > Sean Wang ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo/webkit-dev
[webkit-dev] Do we need a "webkitBackground" property for XMLHttpRequest?
When we send XMLHttpRequest to access search engines or it is sent from chrome extensions, we may do/don't want the browser to show the authentication challenge dialog. Should we provide a property to give a choice to users such as the "webkitBackground"? Please see the bug https://bugs.webkit.org/show_bug.cgi?id=91964 If we totally disable XHR popping up the challenge dialogs, then how can the user request the resource using XHR from the sites across origins and requiring authentications? Or will this operation be disallowed in the future? One way is to show a form by javascript to ask for the credentials in its "onReadyStatusChange" and resend it by XHR. Is this the reason to totally disable the XHR popping up challenge dialogs? Sean Wang ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo/webkit-dev
