none
IE is completely DoS'd by a page full of HTTP Basic Auth images. RRS feed

  • Question

  • [I posted this on answers.microsoft.com first, but was told to post over here, so I am.]
    [I ran into this with the Mail app, where the problem is made even worse, but it looks like it's an IE issue at heart.]

    Repro: (you'll have to kill IE after this, so save important tabs first). Go to https://dl.dropboxusercontent.com/u/6867891/misc/ie-basic-auth-dos.html

    Result: You are inundated with an "endless" (50 in this case) supply of modal dialogs asking you for credentials.  Regardless of whether you enter the correct credentials (netsession/password) or hit enter, the modal dialogs just keep on coming.

    Suggested fix:  Chrome and Firefox only prompt me once.  If I enter credentials or hit cancel, they use that for all subsequent requests to that HTTP Basic Auth realm.

    In addition, it would be nice if the dialog wasn't modal, so it can't block the whole app.

    Background: Every day I receive a stats email that includes around 100 tiny sparkline-style graphs.  These graph images are served off of our stats server, which authenticates users via HTTP Basic Authentication (meaning that in order to get the image, the client has to send a username/password in the HTTP headers).  When I view this email (in IE or the Windows Mail app), it brings up a modal dialog to prompt me for the username and password for every single image in the email (all 100).  There's no way to cancel or abort.

    In the Mail app this is made even worse because it apparently tries to pre-load emails in the background, so I get stuck in this "endless" modal dialog cycle without even clicking on the email in question.  So my entire Mail app is currently unusable.
    Tuesday, July 2, 2013 1:55 AM

Answers

  • Hi,

    Tools>Internet Options>Security tab, click "Reset all zones to default"

    Trusted Sites icon, 'Sites' button.... add

    *.Akamai.com and *.dropboxusercontent.com to the list of sites. Then choose the 'Custom level' button. Select 'anonymous login' under the Authentication section....

    !important - configure your GPO security zone templates with the above settings otherwise the above settings will be over-written by IE resets or Security zone user resets.

    Regards.


    Rob^_^

    Tuesday, July 2, 2013 4:01 AM