You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Problem statement:
The issue is that when mail.example.com allows contents with embedded resources (e.g. img tags) loaded from 3rd party servers (say evil.example.com), those endpoints can force HTTP basic-auth to the mail.example.com user by setting basic auth HTTP headers. This can potentially steal user credentials.
Feature request:
A way to disable basic-auth on the top-level web page, that also get applied to all embedded iframes in the page. Many websites do not require basic-auth, yet they are vulnerable to this attack.
I like this idea, although we'd have to find a way to ensure that it could apply to the image resource at mail.example.com, even when evil.example.com is definitely not going to apply a no-basic-auth policy to itself.
foolip
added a commit
to foolip/feature-policy
that referenced
this issue
Jun 18, 2018
The style of `Header-Name` follows Fetch, but the &w3c#96; in the source
are necessary because of "Markup Shorthands: css no, markdown yes" in
the <pre class="metadata">.
Cloned from: https://bugs.chromium.org/p/chromium/issues/detail?id=783941
Problem statement:
The issue is that when mail.example.com allows contents with embedded resources (e.g. img tags) loaded from 3rd party servers (say evil.example.com), those endpoints can force HTTP basic-auth to the mail.example.com user by setting basic auth HTTP headers. This can potentially steal user credentials.
Feature request:
A way to disable basic-auth on the top-level web page, that also get applied to all embedded iframes in the page. Many websites do not require basic-auth, yet they are vulnerable to this attack.
@mikewest @clelland
The text was updated successfully, but these errors were encountered: