Allow cross-origin subresources from asking for credentials ​

Hello,


I noticed that Safari disallowed cross-origin subresources from asking for credentials ( https://trac.webkit.org/changeset/228486/webkit/ )

How can I allow it? We have a Web-App which uses a Cross-Origin request to ask for credentials and we want to allow this request but Safari blocks ist. Is there any way to allow it?

Blocked *URL* from asking for credentials because it is a cross-origin request.

Thanks

Alex

Replies

As Safari relies on webkit, it seems you'd want to cross-discuss your use case w/webkit instead of here, keeping in mind this statement found at that link...


"Prompts for credentials to load cross-origin subresources are typically seen as unexpected by a person that navigates to- or interacts with- a web page. The cross-origin and implicit loading nature of these subresources makes asking for credentials questionable because they are not being served by the same origin of the page a person explicitly loaded and are not guaranteed to correspond to an explicit user interaction other than the initial load of the page. We know that subresources that ask for credentials can be abused as part of a phishing

attack. It seems reasonable to disallow cross-origin subresources from asking for credentials due to their questionable nature and the risk for abuse. This will also make the behavior of WebKit match the behavior of Chrome."