On Mon, May 7, 2012 at 12:30 PM, Tab Atkins Jr. <[email protected]> wrote: > On Mon, May 7, 2012 at 9:05 PM, Jonas Sicking <[email protected]> wrote: >> On Mon, May 7, 2012 at 8:59 AM, Boris Zbarsky <[email protected]> wrote: >>> On 5/7/12 11:53 AM, Tab Atkins Jr. wrote: >>>> Yes, definitely (unless you set .withCredentials on it or something, >>>> like the XHR attribute). >>> >>> Hold on. If you _do_ set withCredentials, you should be required to pass >>> the credentials in or something. Under no circumstances would prompting for >>> credentials for a request associated with an already-unloaded page be OK >>> from my point of view.... >> >> There seems to be some confusion here regarding how withCredentials >> works. First of all withCredentials is a CORS thing. CORS requests >> *never* pop up an authentication dialog. (There is also the question >> of if we want to support CORS here, I suspect we do). >> >> But I totally agree with Boris that we can't ever pop up security >> dialogs for a site that the user has left. > > I definitely agree that we never pop up an auth dialog for an > unloadHandler request. That's just silly. > > If I'm understanding XHR's withCredentials flag, it just sends the > *existing* ambient credentials, to apply against HTTP auth (along with > cookies and such). It doesn't prompt you for anything if you don't > already have ambient credentials for a given site, right?
Correct. / Jonas
