HTTP auth dialog can no longer be triggered by cross-origin images

Published: | Categories: Networking Privacy & Security

Description

Starting with Firefox 59, an image resource loaded from a different origin from the current page can no longer trigger an HTTP authentication dialog prompt, preventing user credentials being stolen if attackers were able to embed an arbitrary image to the victimized page.

This security measure was originally introduced with Firefox 40 but soon backed out due to several compatibility issues. While cross-origin frames and scripts may still be used to trigger an auth dialog in some organizations, images are unlikely legit, hence the change. Given that Google Chrome has already implemented this, Mozilla developers expect nothing will be broken.

References