Open Bug 1763671 Opened 3 years ago Updated 14 days ago

Provide a mechanism to disable Basic HTTP Auth (Policy or otherwise)

Categories

(Core :: Networking: HTTP, enhancement, P2)

enhancement
Points:
1

Tracking

()

People

(Reporter: mkaply, Assigned: sekim)

References

(Depends on 1 open bug)

Details

(Keywords: parity-edge, Whiteboard: [necko-triaged][necko-priority-next])

Chrome and Edge have a policy to disable Basic HTTP Auth for security reasons:

https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#basicauthoverhttpenabled

It would be nice if we provided something similar.

Severity: -- → N/A
Priority: -- → P2
Whiteboard: [necko-triaged]

I checked on Chrome and in the case where it's turned off, they just return a 401 not authorized (no UI).

They never even send the request, just return immediately.

Easy place to test:

http://httpbin.org

Whiteboard: [necko-triaged] → [necko-triaged][necko-priority-new]

I understand the requirement here is that we want to add a pref that disables Basic auth over unencrypted HTTP.
Seems easy enough. Let's try to do it.

Keywords: parity-edge
Whiteboard: [necko-triaged][necko-priority-new] → [necko-triaged][necko-priority-next]
Points: --- → 1
Assignee: nobody → sekim

Can be tested with http://httpbin.org/bearer.

Hello Valentin, do we need a separate error page for this patch?

Flags: needinfo?(valentin.gosu)

No, I don't think we need a separate one. But I assume bug 1325876 will also cover this.

Flags: needinfo?(valentin.gosu)
See Also: → 1325876

We should complete the patch once bug 1325876 is landed.

Depends on: 1325876
See Also: 1325876
You need to log in before you can comment on or make changes to this bug.