User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.2 Build ID: 20150420231403 Steps to reproduce: With apache config: <Directory "/var/www/html/auth"> AuthName "NTLM Authentication thingy" NTLMAuth on NTLMAuthHelper "/data/samba/samba4/prefix/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --password=password -d100" NTLMBasicAuthoritative on AuthType NTLM require valid-user </Directory> Hosts: 127.0.1.1 ruth ntlm1 ntlm2 ntlm3 ntlm4 And the attached file (supply own logo to use as test image) Access http://localhost/auth Enter username (any), password (password) Actual results: The images on hosts ntlm{1,2,3,4} do not load. The network trace (also attached) shows no attempt at NTLM authentication, after the web server prompts for it with a 401. Expected results: As per Iceweasel 37.0.2, load all the images after prompting for credentials.

Bisection with mozregression shows 13:55.39 LOG: MainThread Bisector INFO Last good revision: 98ea146e6f51 13:55.39 LOG: MainThread Bisector INFO First bad revision: e7c656feac7f 13:55.39 LOG: MainThread Bisector INFO Pushlog: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=98ea146e6f51&tochange=e7c656feac7f This appears to be a deliberate change in bug 647010. https://hg.mozilla.org/integration/mozilla-inbound/rev/2e642b4f35c4

CC'ing dd.mozilla for more info.

Bug 647010 disabled the prompt for the authentication for the cross-origin subresources. Actually there is a pref for this so it can be allowed. Here subresources is cross-origin because first request is to localhost and the sub-requests are to ntlm (1,2,3) so they are not the same but they are actually the same host the same ip address. it could be possible to take ip address into account but i am not sure how common is such a case in the internet. I think it is fine to leave it like this.

Thanks, I do agree with this analysis. I suspect that this will hit intranet use - because in the IE and NTLM-authentication dominated intranet, application developers and their target IE on Windows users do not notice that their resources are being served from more than one server or name. I wasn't hoping for the IP address to count, that was just how I was trying to confirm that multiple concurrent NTLM authentication requests were not broken. I set that preference (network.auth.allow-subresource-auth = 2) to permit that testing.

I will close this bug. Maybe we will have a problem when this feature reaches release, but then changing pref will fix it.

Terrible fix....lazy fix.... a "we don't give a F" fix. Just shut the whole thing down instead of implementing a smart embedded warning/exception storing fix. Another blow to the usability and utility of Firefox.