[webkit-dev] Do we need a "webkitBackground" property for XMLHttpRequest?

xuewen xuewen.wang at torchmobile.com.cn
Wed Jul 25 00:57:05 PDT 2012


As I tested, the chromium Version 22.0.1217.0 (148296) shows auth
dialogs for both XHR and sub-resources. Perhaps the changing has not
been pushed to trunk !?

On 07/25/2012 12:58 AM, Adam Barth wrote:
> On Tue, Jul 24, 2012 at 9:28 AM, xuewen.wang
> <xuewen.wang at torchmobile.com.cn> wrote:
>> Do you know why the chromium has not cancel auth dialog for XHR? Is this
>> the main reason?
> The network stack folks did a round of removing auth dialogs for
> subresources a while back.  I'm not sure why they didn't remove the
> dialog from XHR.  It's possible they ran into compat trouble or that
> it was an oversight.
>
> Adam
>
>
>> On 07/24/2012 11:52 PM, Brady Eidson wrote:
>>> On Jul 24, 2012, at 2:58 AM, Adam Barth <abarth at webkit.org> wrote:
>>>
>>>> I don't think we should add this property.  Instead we should not ever
>>>> present HTTP auth dialogs for any requests other than the main
>>>> resource for the top-level frame.  Presenting HTTP auth dialogs in
>>>> other contexts is a phishing risk.
>>> I think there are corporate/financial apps that would break if this was policy.
>>>
>>> Thanks,
>>> ~Brady
>>>
>>>> Adam
>>>>
>>>>
>>>> On Tue, Jul 24, 2012 at 2:47 AM, xuewen <xuewen.wang at torchmobile.com.cn> wrote:
>>>>> When we send XMLHttpRequest  to access search engines or it is sent from
>>>>> chrome extensions,  we may do/don't want the browser to show the
>>>>> authentication challenge dialog. Should we provide a property to give a
>>>>> choice to users such as the "webkitBackground"?
>>>>>
>>>>> Please see the bug https://bugs.webkit.org/show_bug.cgi?id=91964
>>>>>
>>>>> If we totally disable XHR popping up the challenge dialogs, then how can the
>>>>> user request the resource using XHR from the sites across origins and
>>>>> requiring authentications? Or will this operation be disallowed in the
>>>>> future?
>>>>>
>>>>> One way is to show a form by javascript to ask for the credentials in its
>>>>> "onReadyStatusChange" and resend it by XHR. Is this the reason to totally
>>>>> disable the XHR popping up challenge dialogs?
>>>>>
>>>>> Sean Wang
>>>> _______________________________________________
>>>> webkit-dev mailing list
>>>> webkit-dev at lists.webkit.org
>>>> http://lists.webkit.org/mailman/listinfo/webkit-dev
>>> .
>>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20120725/f1fdbd0f/attachment.html>


More information about the webkit-dev mailing list