On Tue, May 12, 2015 at 6:05 AM, Brad Hill <hillb...@gmail.com> wrote:
> Chrome did to that once upon a time (blocking 401 prompts on all > subresource loads) but it opened up a brute-force hole where the lack of UI > allowed extremely rapid testing of HTTP Basic requiring resources, so it > got backed out. I'm not sure where it eventually ended up, but I know it > was an issue. I'd think that for a sandboxed iframe you could be a bit > more draconian and not just short-circuit the prompt but totally forbid > connecting to resources which require an Authentication header, blocking > the avenue of exploit as well as the phishing risk. It seems there should > be very few if any use cases for sandboxed content calling > HTTP-authenticated resources. > Yes. That was how I interpreted the suggestion as well; we'd suppress the dialog by cancelling the request. :) -mike -- Mike West <mk...@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) >
