[webkit-dev] CORS and user credentials prompting

Anne van Kesteren annevk at annevk.nl
Thu May 22 00:55:01 PDT 2014

On Mon, May 19, 2014 at 10:33 AM, youenn fablet <youennf at gmail.com> wrote:
> While looking at http://webkit.org/b/126619, a question came to my mind on
> user credentials prompting for cross-origin resources.
> WebKit allows prompting users for credentials in case of loading
> cross-origin resources (except for XHR).

Having just an exception for XMLHttpRequest seems very strange to me.
In the normal same-origin case both XMLHttpRequest and <img> prompt,
so if CORS is enabled I would expect both not to prompt.

(In general we should more closely investigate where we can avoid
prompting and just return the 401 as it's a source of very confusing
end user UI.)


More information about the webkit-dev mailing list