Block http auth prompt for cross-origin image subresources by default.

Still allow this to be bypassed with a pref for those really rare corner cases where images are loaded cross-origin by design and the session hasn't been/can't be authenticated ahead of time.
author: wolfbeast <mcwerewolf@wolfbeast.com> 2019-07-15 14:13:14 +0200
committer: wolfbeast <mcwerewolf@wolfbeast.com> 2019-07-15 14:13:14 +0200
commit: 0770beb8ddcbbaf7c0570e72e5e67a9731326148 (patch)
tree: 9430091e5deb3f29a9a2ec262964e4d249687faf /modules
parent: e923621f9b25c4e22349b176a072d452a2eb89ba (diff)
download: aura-central-0770beb8ddcbbaf7c0570e72e5e67a9731326148.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
index 1aec5f393..38c3ced91 100644
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -1988,6 +1988,13 @@ pref("network.generic-ntlm-auth.workstation", "WORKSTATION");
 //   2 - allow the cross-origin authentication as well.
 pref("network.auth.subresource-http-auth-allow", 2);
 
+// Sub-resources HTTP-authentication for cross-origin images:
+// true - presenting the http auth. dialog for cross-origin images is allowed.
+// false - suppress the http auth. dialog for cross-origin images.
+// If network.auth.subresource-http-auth-allow has a value of 0 or 1, this pref
+// does not have any effect.
+pref("network.auth.subresource-http-img-XO-auth", false);
+
 // This preference controls whether to allow sending default credentials (SSO) to
 // NTLM/Negotiate servers allowed in the "trusted uri" list when navigating them
 // in a Private Browsing window.
author	wolfbeast <mcwerewolf@wolfbeast.com>	2019-07-15 14:13:14 +0200
committer	wolfbeast <mcwerewolf@wolfbeast.com>	2019-07-15 14:13:14 +0200
commit	0770beb8ddcbbaf7c0570e72e5e67a9731326148 (patch)
tree	9430091e5deb3f29a9a2ec262964e4d249687faf /modules
parent	e923621f9b25c4e22349b176a072d452a2eb89ba (diff)
download	aura-central-0770beb8ddcbbaf7c0570e72e5e67a9731326148.tar.gz