Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
386 views
in Technique[技术] by (71.8m points)

html - Prevent HTTP Basic Authentication from displaying prompt for images

If I have an image from a different domain on a page, and that image is protected by HTTP Basic Authentication, the browser will present the authentication dialog to the user, looking like this:

Auth Dialog

Given that the site is a forum, so contains a lot of user-generated content, it's pretty easy for a malicious user to add an image like this, then potentially harvest the login credentials of the one or two people who fall for it and type their site credentials into the dialog.

Is there any way to prevent that credential prompt from being displayed without either using a whitelist of image hosts (not ideal because it's very restrictive for users) or making sure the image is accessible before allowing it (which can be worked around)?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

If you add the crossorigin="anonymous" attribute to the image, it will no longer prompt for credentials, although it also means that no cookies or cached credentials will be sent either (which doesn't matter in my case).

Note however that, this restricts it to only images that have been served using the Access-Control-Allow-Origin header, which must be set to * or the page's origin. If the header is omitted or incorrect, the image will not be rendered, and a broken image error will be displayed instead. This makes this solution fairly useless, but unfortunately there doesn't seem to be an alternative.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...