You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Request-level control to suppress interactive HTTP authentication prompts (FETCH), and CSP control over interactive HTTP authentication for subresources (CSP)
We are requesting Mozilla’s standards position on two related proposals that would give embedding origins explicit control over interactive HTTP authentication prompts triggered by subresource requests:
Problem Statement
Currently, when a subresource responds with 401 Unauthorized or 407 Proxy Authentication Required and includes WWW-Authenticate / Proxy-Authenticate, Firefox may display an interactive authentication prompt.
Embedding origins have no standardized mechanism to suppress this behavior. In user-generated content or third-party embedding scenarios, this can create unexpected credential prompts within a trusted origin context, increasing phishing surface and user confusion.
Prior Implementation Attempts
We understand that Firefox has previously attempted to disable authentication prompting for cross-origin subresources, but this approach caused compatibility regressions and legitimate use-case breakage.
The current proposals differ materially from blanket disablement:
They are explicitly opt-in (per-request via Fetch or per-document via CSP).
Default behavior remains unchanged.
Legitimate authentication flows continue to work unless a developer intentionally suppresses prompts.
This aims to provide a middle ground:
Preserve existing behavior for sites that rely on it.
Allow security-conscious embedding origins to explicitly prevent subresource-triggered credential prompts.
Question for Mozilla
If either of these proposals advances in the relevant standards bodies and gains multi-browser support, would Mozilla be open to implementing an opt-in mechanism of this nature?
Specification title
Request-level control to suppress interactive HTTP authentication prompts (FETCH), and CSP control over interactive HTTP authentication for subresources (CSP)
Specification or proposal URL (if available)
whatwg/fetch#1910, w3c/webappsec-csp#801
Explainer URL (if available)
No response
Proposal author(s)
@nirmalk401
MDN URL
No response
Caniuse.com URL
No response
Bugzilla URL
https://bugzilla.mozilla.org/show_bug.cgi?id=2018814
Mozillians who can provide input
@dveditz
WebKit standards-position
No response
Other information
We are requesting Mozilla’s standards position on two related proposals that would give embedding origins explicit control over interactive HTTP authentication prompts triggered by subresource requests:
WHATWG Fetch – Request-level suppression via RequestInit.authPrompt
Proposal: Request-level control to suppress interactive HTTP authentication prompts whatwg/fetch#1910
W3C CSP – Declarative auth-challenge directive
Proposal: CSP control over interactive HTTP authentication for subresources w3c/webappsec-csp#801
Problem Statement
Currently, when a subresource responds with 401 Unauthorized or 407 Proxy Authentication Required and includes WWW-Authenticate / Proxy-Authenticate, Firefox may display an interactive authentication prompt.
Embedding origins have no standardized mechanism to suppress this behavior. In user-generated content or third-party embedding scenarios, this can create unexpected credential prompts within a trusted origin context, increasing phishing surface and user confusion.
Prior Implementation Attempts
We understand that Firefox has previously attempted to disable authentication prompting for cross-origin subresources, but this approach caused compatibility regressions and legitimate use-case breakage.
The current proposals differ materially from blanket disablement:
Question for Mozilla
If either of these proposals advances in the relevant standards bodies and gains multi-browser support, would Mozilla be open to implementing an opt-in mechanism of this nature?