From the error message it sounds like if this was an attacker controlled site configured to require authentication it wouldn't trigger? If so it's not that useful a defense since whether to require auth is entirely under the attacker's control.