Reverted HTTP auth dialog can no longer be triggered by cross-origin resources

Published: | Categories: Networking Privacy & Security | Creative Commons BY-SA 3.0


Firefox, among other browsers, had previously allowed any resources, such as <iframe>, <img>, <script>, XMLHttpRequest or CSS background-image, to show an HTTP 401 basic authentication dialog. This behaviour, however, could be used by attackers to steal the user’s credentials if they were able to embed or inject an arbitrary resource to the victimized page. On Firefox 40 and later, the page itself and resources served from the same origin can only trigger an authentication dialog, preventing such potential attacks while mitigating site compatibility issues.

If needed, this new behaviour can be changed with the hidden network.auth.allow-subresource-auth preference taking one of the following values:

  • 0 - Don’t allow sub-resources to open HTTP authentication credentials dialogs
  • 1 (default) - Allow sub-resources to open HTTP authentication credentials dialogs, but don’t allow it for cross-origin sub-resources
  • 2 - Allow the cross-origin authentication as well

Source: modules/libpref/init/all.js

Update: In response to the feedback from users, this change was backed out from Firefox 41 Beta, 42 Developer Edition and 43 Nightly, so the default value of the network.auth.allow-subresource-auth preference has been reverted to 2. Firefox 40 users should also have received an automatic update to the bundled hotfix add-on, released on , that restores the previous behaviour.

Update 2: In order to avoid conflict with the hotfix add-on, Firefox 41 has renamed the preference to network.auth.subresource-http-auth-allow while the possible values and default value (2) remain the same.

Update 3: Firefox 59 has reimplemented part of the change, but just for cross-origin images.