Provide a mechanism to disable Basic HTTP Auth (Policy or otherwise)
Categories
(Core :: Networking: HTTP, enhancement, P2)
Tracking
()
People
(Reporter: mkaply, Assigned: sekim)
References
(Depends on 1 open bug)
Details
(Keywords: parity-edge, Whiteboard: [necko-triaged][necko-priority-next])
Chrome and Edge have a policy to disable Basic HTTP Auth for security reasons:
https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#basicauthoverhttpenabled
It would be nice if we provided something similar.
Updated•3 years ago
|
Reporter | ||
Comment 1•3 years ago
|
||
I checked on Chrome and in the case where it's turned off, they just return a 401 not authorized (no UI).
They never even send the request, just return immediately.
Reporter | ||
Comment 2•3 years ago
|
||
Easy place to test:
Updated•11 months ago
|
Comment 3•11 months ago
|
||
I understand the requirement here is that we want to add a pref that disables Basic auth over unencrypted HTTP.
Seems easy enough. Let's try to do it.
Updated•5 months ago
|
Can be tested with http://httpbin.org/bearer.
Hello Valentin, do we need a separate error page for this patch?
Comment 6•25 days ago
|
||
No, I don't think we need a separate one. But I assume bug 1325876 will also cover this.
We should complete the patch once bug 1325876 is landed.
Description
•