[webkit-dev] Do we need a "webkitBackground" property for XMLHttpRequest?

Adam Barth abarth at webkit.org
Wed Jul 25 08:18:06 PDT 2012


There is no such thing as "pushing to trunk" for Chromium.  All
development happens on trunk.  That sounds like a regression.  I'll
follow up with the networking folks.

Thanks for checking!

Adam


On Wed, Jul 25, 2012 at 12:57 AM, xuewen <xuewen.wang at torchmobile.com.cn> wrote:
> As I tested, the chromium Version 22.0.1217.0 (148296) shows auth dialogs
> for both XHR and sub-resources. Perhaps the changing has not been pushed to
> trunk !?
>
> On 07/25/2012 12:58 AM, Adam Barth wrote:
>
> On Tue, Jul 24, 2012 at 9:28 AM, xuewen.wang
> <xuewen.wang at torchmobile.com.cn> wrote:
>
> Do you know why the chromium has not cancel auth dialog for XHR? Is this
> the main reason?
>
> The network stack folks did a round of removing auth dialogs for
> subresources a while back.  I'm not sure why they didn't remove the
> dialog from XHR.  It's possible they ran into compat trouble or that
> it was an oversight.
>
> Adam
>
>
> On 07/24/2012 11:52 PM, Brady Eidson wrote:
>
> On Jul 24, 2012, at 2:58 AM, Adam Barth <abarth at webkit.org> wrote:
>
> I don't think we should add this property.  Instead we should not ever
> present HTTP auth dialogs for any requests other than the main
> resource for the top-level frame.  Presenting HTTP auth dialogs in
> other contexts is a phishing risk.
>
> I think there are corporate/financial apps that would break if this was
> policy.
>
> Thanks,
> ~Brady
>
> Adam
>
>
> On Tue, Jul 24, 2012 at 2:47 AM, xuewen <xuewen.wang at torchmobile.com.cn>
> wrote:
>
> When we send XMLHttpRequest  to access search engines or it is sent from
> chrome extensions,  we may do/don't want the browser to show the
> authentication challenge dialog. Should we provide a property to give a
> choice to users such as the "webkitBackground"?
>
> Please see the bug https://bugs.webkit.org/show_bug.cgi?id=91964
>
> If we totally disable XHR popping up the challenge dialogs, then how can the
> user request the resource using XHR from the sites across origins and
> requiring authentications? Or will this operation be disallowed in the
> future?
>
> One way is to show a form by javascript to ask for the credentials in its
> "onReadyStatusChange" and resend it by XHR. Is this the reason to totally
> disable the XHR popping up challenge dialogs?
>
> Sean Wang
>
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> http://lists.webkit.org/mailman/listinfo/webkit-dev
>
> .
>
>


More information about the webkit-dev mailing list