HTTP Authentication has a number of inherent UX problems. Bug 647010 has some details, but the nutshell version is that authentication requests from nested resources in a page (eg iframes, images, etc) can be quite confusing especially when they're for different origins. The prompts include the requesting origin, but users often won't see of understand it. We'd like to consider dropping these kinds of requests, but we really don't know how common they are. Chrome apparently tried this and then undid it for unclear reasons (see bug 647010 comment 21). I think it would be helpful to add some telemetry to understand how common this kind of things its. Details TBD, but off the top of my head it would be useful to know: * How often HTTP Auth occurs at all * What percentage of that is for a top-level doc load * For subresources, what percentage are cross-origin (probably just cross-TLD?)

Joel: Wrong bug? Those two dependencies are completely unrelated to this bug.

I think this would be useful to understand if we implement tab-modal auth prompts.

Comment on attachment 8651932 [details] [diff] [review] bug_979359_v1.patch Review of attachment 8651932 [details] [diff] [review]: ----------------------------------------------------------------- ::: netwerk/protocol/http/nsHttpChannelAuthProvider.cpp @@ +36,5 @@ > #define SUBRESOURCE_AUTH_DIALOG_DISALLOW_CROSS_ORIGIN 1 > #define SUBRESOURCE_AUTH_DIALOG_ALLOW_ALL 2 > > +#define HTTP_AUTH_DIALOG_TOP_LEVEL_DOC 0 > +#define HTTP_AUTH_DIALOG_NOT_CROSS_ORIGIN_SUB_RESOURCES 1 how about SAME_ORIGIN_SUBRESOURCE? (i.e. SAME instead of NOT, SUBRESOURCE as one word, and not plural)

Looking at the stats, the number of same orgin subresources is suprisingly large: https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2015-09-06&keys=__none__!__none__!__none__&max_channel_version=nightly%252F43&measure=HTTP_AUTH_DIALOG_STATS&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2015-08-28&table=0&trim=1&use_submission_date=0 cross origin subresources account for 3.5%. What is the path forward here?

Perhaps we can determine what type of cross origin subresources we have and whitelist some (ex: xhr and iframe). https://bugzilla.mozilla.org/show_bug.cgi?id=647010#c28

(In reply to Tanvi Vyas [:tanvi] from comment #11) > Looking at the stats, the number of same orgin subresources is suprisingly > large: > https://telemetry.mozilla.org/new-pipeline/dist.html#! > cumulative=0&end_date=2015-09-06&keys=__none__!__none__! > __none__&max_channel_version=nightly%252F43&measure=HTTP_AUTH_DIALOG_STATS&mi > n_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start > _date=2015-08-28&table=0&trim=1&use_submission_date=0 > > cross origin subresources account for 3.5%. What is the path forward here? I think we should make cross-origin issue more clear in the authentication dialog, e.g. showing that the sub-resource is asking for authentication. I would not whitelist anything, I think the behavior should be the same for all sub-resources.