On 14/03/2013 15:59 , Anne van Kesteren wrote:
So if the server replies with status 401 and a WWW-Authenticate header
that is properly formatted (I did not do detailed syntax checks but
e.g. WWW-Authenticate: basicerror does not work) is present, we prompt
the user. We do this for <img>, <script>, new Worker(),
XMLHttpRequest, workers' importScripts() (including shared workers!),
...
We do not prompt for cross-origin requests when CORS is opted into.
Is there anything we should do here? Prompting the end user for
requests they did not explicitly initiate via navigation seems very
confusing. On the other hand maybe creating a divergence here is not
worth it at this point.
People who don't rely on this will never have their users see the
prompts, so it's hardly harming them.
People who *do* rely on this (assuming they exist — in this case they
probably do somewhere) will find their services broken if we change it.
So on the face of things, I get the impression that there's zero cost in
keeping things the way they are, and risk in changing them.
I think that the lack of interoperability, and the complete inanity of
prompting in browsers where it happens, is more problematic in the case
of unsafe redirects.
--
Robin Berjon - http://berjon.com/ - @robinberjon
