On Mon, May 19, 2014 at 10:33 AM, youenn fablet <youe...@gmail.com> wrote:
> While looking at http://webkit.org/b/126619, a question came to my mind on
> user credentials prompting for cross-origin resources.
> WebKit allows prompting users for credentials in case of loading
> cross-origin resources (except for XHR).

Having just an exception for XMLHttpRequest seems very strange to me.
In the normal same-origin case both XMLHttpRequest and <img> prompt,
so if CORS is enabled I would expect both not to prompt.

(In general we should more closely investigate where we can avoid
prompting and just return the 401 as it's a source of very confusing
end user UI.)

webkit-dev mailing list

Reply via email to