防止HTTP基本验证显示提示图像 [英] Prevent HTTP Basic Authentication from displaying prompt for images

问题描述

如果我在页面上有不同域的图像，并且该图像受HTTP基本认证保护，浏览器会向用户显示认证对话框，如下所示：

鉴于该网站是一个论坛，因此包含大量用户生成的内容，对于恶意用户来说非常容易要添加一个这样的图像，然后可能会收集一个或两个人的登录凭据，并将其网站凭据输入到对话框中。

有没有什么办法可以防止在没有使用图像主机的白名单的情况下显示凭证提示（不理想，因为它对用户非常严格），或者确保图像如果你添加了 crossorigin =是，你可以在允许它之前访问它（这可以解决） 匿名属性，它将不再提示输入凭据，但这也意味着不会发送任何cookie或缓存的凭据（这对我来说无关紧要）请注意，这仅限于使用 Access-Control-Allow-Origin 标头提供的图像，它必须设置为 * 或页面的原点。如果标题被省略或不正确，图像将不会被渲染，并且将会显示一个破碎的图像错误。这使得这个解决方案毫无用处，但不幸的是似乎没有其他选择。

If I have an image from a different domain on a page, and that image is protected by HTTP Basic Authentication, the browser will present the authentication dialog to the user, looking like this: Given that the site is a forum, so contains a lot of user-generated content, it's pretty easy for a malicious user to add an image like this, then potentially harvest the login credentials of the one or two people who fall for it and type their site credentials into the dialog.

Is there any way to prevent that credential prompt from being displayed without either using a whitelist of image hosts (not ideal because it's very restrictive for users) or making sure the image is accessible before allowing it (which can be worked around)?

解决方案

If you add the crossorigin="anonymous" attribute to the image, it will no longer prompt for credentials, although it also means that no cookies or cached credentials will be sent either (which doesn't matter in my case).

Note however that, this restricts it to only images that have been served using the Access-Control-Allow-Origin header, which must be set to * or the page's origin. If the header is omitted or incorrect, the image will not be rendered, and a broken image error will be displayed instead. This makes this solution fairly useless, but unfortunately there doesn't seem to be an alternative.

这篇关于防止HTTP基本验证显示提示图像的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！