The current behavior is to throw an error (NETWORK_ERR: XMLHttpRequest Exception 101) for synchronous requests and set the status to 0 for asynchronous requests. IE and Fx both correctly set the status to 401 for both synchronous and asynchronous requests.
Could you please provide a test case? I did not see this behavior when I was testing autentication in XHR, so I was probably doing something differently.
Here's 4: var r = new XMLHttpRequest(); r.open("GET", "http://gi.tibco.com/tests/auth2/data1.xml", false); r.send(); assertEquals(401, r.status); var r = new XMLHttpRequest(); r.open("GET", "http://gi.tibco.com/tests/auth2/data1.xml", false, "badname", "passpw"); r.send(); assertEquals(401, r.status); var r = new XMLHttpRequest(); r.open("GET", "http://gi.tibco.com/tests/auth2/data1.xml", true); r.onreadystatechange = function() { if (r.readyState == 4) { assertEquals(401, r.status); } }; r.send(); var r = new XMLHttpRequest(); r.open("GET", "http://gi.tibco.com/tests/auth2/data1.xml", true, "badname", "passpw"); r.onreadystatechange = function() { if (r.readyState == 4) { assertEquals(401, r.status); } }; r.send();
Confirmed with r23984. Please note that the current draft of XMLHttpRequest spec just says that "If authentication fails, user agents should prompt the users for credentials." It probably needs to say that the user can be asked for credentials only once, and if that doesn't help, the 401 response is returned.
Created attachment 15402 [details] test case A test case that works from LayoutTests/http/tests/xmlhttprequest.
The sync (regression) part was fixed in bug 14704. A commented out test for the async case can be found in http/tests/xmlhttprequest/failed-auth.html.
Created attachment 61123 [details] proposed fix
Fixed on Mac in <http://trac.webkit.org/changeset/63095>. A Windows Safari fix is in closed source code. The fix was to change what happens when the user cancels authentication sheet. Please file new bugs for other aspects that may be still wrong.