When updating an application cache, the user is not asked for credentials, which makes sense. However, credentials that already exist in credential storage also aren't used.
I'm not sure if it makes huge sense to cache authenticated resources - once they are cached, they become available to anyone who asks, even after browser restart. Also, there is no way to make appcache store several versions of content that depends on user identity (cookies have the same problem). But if web developers want to, we probably shouldn't stop them. This works in Firefox, FWIW.
Created attachment 35048 [details]
Comment on attachment 35048 [details]
> + // For normal resource loading, WebKit client is asked about each resource individually. Since application cache does not belong to any particular document,
> + // the existing client callback cannot be used, and just assume that any client that enables application cache also wants it to use credential storage.
Should say "so assume" rather than "and just assume".
Committed revision 47439.