Provide opt-out option to disable HTTP basic-auth on a webpage #96
Labels
Comments
|
I like this idea, although we'd have to find a way to ensure that it could apply to the image resource at mail.example.com, even when evil.example.com is definitely not going to apply a no-basic-auth policy to itself. |
foolip
added a commit
to foolip/feature-policy
that referenced
this issue
Jun 18, 2018
The style of `Header-Name` follows Fetch, but the &w3c#96; in the source are necessary because of "Markup Shorthands: css no, markdown yes" in the <pre class="metadata">.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Cloned from: https://bugs.chromium.org/p/chromium/issues/detail?id=783941
Problem statement:
The issue is that when mail.example.com allows contents with embedded resources (e.g. img tags) loaded from 3rd party servers (say evil.example.com), those endpoints can force HTTP basic-auth to the mail.example.com user by setting basic auth HTTP headers. This can potentially steal user credentials.
Feature request:
A way to disable basic-auth on the top-level web page, that also get applied to all embedded iframes in the page. Many websites do not require basic-auth, yet they are vulnerable to this attack.
@mikewest @clelland
The text was updated successfully, but these errors were encountered: