239944 2022-05-01 08:29:21 -0700 Safari does not persist the Authorization header on redirect 2024-09-18 09:09:52 -0700 1 1 1 Unclassified WebKit Page Loading WebKit Nightly Build All All RESOLVED DUPLICATE 230935 https://bugs.webkit.org/show_bug.cgi?id=56716 InRadar P2 Normal --- 1 906529775 webkit-unassigned achristensen ap beidson biafrajr bs mike nanilasyukia sandrarobel45 webkit-bug-importer youennf oldest_to_newest 1865724 0 906529775 2022-05-01 08:29:21 -0700 Sorry, my English is not good, the following content is generated by translation software. I describe the problem I have: In Safari, I send a request via fetch: /api/user/list?page=1&page_size=10 Because the path is wrong, the status code returned by the server is 301, and a new request path is given: /api/user/list/?page=1&page_size=10 After Safari receives 301, it automatically sends a new request, but does not bring the Authorization request header. My expectation is to bring the Authorization request header when redirecting, what should I do? Looking forward to your reply, thanks. Note: When redirecting, the Chrome browser will take the Authorization request with it. The full request log is below: First request(Has Authorization request header): Request GET /api/user/list?page=1&page_size=10 Authorization: Bearer xxxxxxxxxxxx Referer: https://test.com/api/user/list?page=1&page_size=10 Accept: */* User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15 Cache-Control: no-cache Pragma: no-cache X-OA-ID: 10004572 ------ Response to first request: Redirect Response 301 Moved Permanently Location: /api/user/list/?page=1&page_size=10 Date: Sun, 01 May 2022 09:29:24 GMT Referrer-Policy: same-origin ------ Redirects automatically sent by Safari(No Authorization header): Request GET /api/user/list/?page=1&page_size=10 HTTP/1.1 Accept: */* Pragma: no-cache Cookie: xxxxxxxxxxxx Referer: https://test.com/api/user/list Cache-Control: no-cache Host: test.com Accept-Language: en-US,en;q=0.9 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15 Accept-Encoding: gzip, deflate, br Connection: keep-alive X-OA-ID: 10004572 ------ I found 2 similar questions on stackoverflow, but none were solved. https://stackoverflow.com/questions/71311305/how-to-prevent-safari-from-dropping-the-authorization-header-when-following-a-sa https://stackoverflow.com/questions/57974176/safari-does-not-persist-the-authorization-header-on-redirect 1866401 1 youennf 2022-05-04 02:26:43 -0700 It seems to make sense to keep the authorization header for same origin redirections. It would be good to check where we are dropping the header (WebKit networking code or CFNetwork). See https://github.com/whatwg/fetch/issues/944 for WhatWG fetch discussion. 1866402 2 webkit-bug-importer 2022-05-04 02:26:54 -0700 <rdar://problem/92721299> 1869228 3 459426 youennf 2022-05-16 08:04:43 -0700 Created attachment 459426 Example 1869229 4 youennf 2022-05-16 08:06:37 -0700 I uploaded an example which seems to show that the Authorisation header is being preserved on same origin redirections. @lmx, on which Safari version are you? Can you try Safari Tech Preview? Can you provide a repro case (public or privately at youenn@apple.com) or look at the provided example to see what is different? 1869666 5 906529775 2022-05-17 07:01:31 -0700 @youenn fablet Hello, I uploaded the code here. https://github.com/mrlmx/safari-redirect-demo You can also test through this online demo. https://safari-redirect-demo.vercel.app 1869674 6 youennf 2022-05-17 07:45:04 -0700 Testing in Safari Tech Preview on macOS Monterey, I get the list of users with https://github.com/mrlmx/safari-redirect-demo: lmx:18 foo:17 bar:16 @lmx, which version of Safari and iOS/macOS are you testing on? 1869677 7 906529775 2022-05-17 07:53:02 -0700 @youenn fablet Neither of my two Macs works properly. This is the corresponding version. --- macOS Monterey Version 12.1 (21C52) Safari Version 15.2 (17612.3.6.1.6) --- macOS Big Sur Version 11.3(20E232) Safari Version 14.1 (16611.1.21.161.3) 1869920 8 youennf 2022-05-17 22:56:27 -0700 This is now fixed in latest Safari macOS 12.3 *** This bug has been marked as a duplicate of bug 230935 *** 1869928 9 906529775 2022-05-17 23:42:01 -0700 Thank you(In reply to youenn fablet from comment #8) > This is now fixed in latest Safari macOS 12.3 > > *** This bug has been marked as a duplicate of bug 230935 *** 1981354 10 bs 2023-09-29 12:10:16 -0700 I’m still experiencing this issue on Safari for iOS on my IPhone SE 2020 running iOS 16.6.1. Shouldn’t this be fixed? 1981363 11 ap 2023-09-29 12:34:13 -0700 Yes, it's supposed to have been fixed. Could you please file a new bug from scratch, with precise steps to reproduce and any additional information? 459426 2022-05-16 08:04:43 -0700 2022-05-16 08:04:43 -0700 Example 0001-example.patch text/plain 2991 youennf RnJvbSA3ODU1OWM4ZmFjOTk3MWYyNWVjYjNlNTYyMDM2MDI1ZjQyZmViMDI5IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBZb3Vlbm4gRmFibGV0IDx5b3Vlbm5mQGdtYWlsLmNvbT4KRGF0 ZTogTW9uLCAxNiBNYXkgMjAyMiAxNzowMzo1NSArMDIwMApTdWJqZWN0OiBbUEFUQ0hdIGV4YW1w bGUKCi0tLQogLi4uL2NyZWRlbnRpYWxzL2Jhc2ljLWF1dGgtcmVkaXJlY3QtdGVzdC5odG1sIHwg MjAgKysrKysrKysrKysrKysrKysrKwogLi4uL2ZldGNoL2FwaS9jcmVkZW50aWFscy9zZWN1cmVk cmVkaXJlY3QucHkgIHwgIDggKysrKysrKysKIC4uLi9mZXRjaC9hcGkvY3JlZGVudGlhbHMvc2Vj dXJlZHJlc291cmNlLnB5ICB8ICA1ICsrKysrCiAzIGZpbGVzIGNoYW5nZWQsIDMzIGluc2VydGlv bnMoKykKIGNyZWF0ZSBtb2RlIDEwMDY0NCBMYXlvdXRUZXN0cy9pbXBvcnRlZC93M2Mvd2ViLXBs YXRmb3JtLXRlc3RzL2ZldGNoL2FwaS9jcmVkZW50aWFscy9iYXNpYy1hdXRoLXJlZGlyZWN0LXRl c3QuaHRtbAogY3JlYXRlIG1vZGUgMTAwNjQ0IExheW91dFRlc3RzL2ltcG9ydGVkL3czYy93ZWIt cGxhdGZvcm0tdGVzdHMvZmV0Y2gvYXBpL2NyZWRlbnRpYWxzL3NlY3VyZWRyZWRpcmVjdC5weQog Y3JlYXRlIG1vZGUgMTAwNjQ0IExheW91dFRlc3RzL2ltcG9ydGVkL3czYy93ZWItcGxhdGZvcm0t dGVzdHMvZmV0Y2gvYXBpL2NyZWRlbnRpYWxzL3NlY3VyZWRyZXNvdXJjZS5weQoKZGlmZiAtLWdp dCBhL0xheW91dFRlc3RzL2ltcG9ydGVkL3czYy93ZWItcGxhdGZvcm0tdGVzdHMvZmV0Y2gvYXBp L2NyZWRlbnRpYWxzL2Jhc2ljLWF1dGgtcmVkaXJlY3QtdGVzdC5odG1sIGIvTGF5b3V0VGVzdHMv aW1wb3J0ZWQvdzNjL3dlYi1wbGF0Zm9ybS10ZXN0cy9mZXRjaC9hcGkvY3JlZGVudGlhbHMvYmFz aWMtYXV0aC1yZWRpcmVjdC10ZXN0Lmh0bWwKbmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAw MDAwMDAwMDAwLi44OWQ1YzQ4MDU2MjMKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9p bXBvcnRlZC93M2Mvd2ViLXBsYXRmb3JtLXRlc3RzL2ZldGNoL2FwaS9jcmVkZW50aWFscy9iYXNp Yy1hdXRoLXJlZGlyZWN0LXRlc3QuaHRtbApAQCAtMCwwICsxLDIwIEBACis8IWRvY3R5cGUgaHRt bD4KKzxodG1sPgorPGhlYWQ+CisgIDxtZXRhIGNoYXJzZXQ9IlVURi04Ij4KKyAgPHRpdGxlPjwv dGl0bGU+CisgIDxzY3JpcHQgc3JjPSIvcmVzb3VyY2VzL3Rlc3RoYXJuZXNzLmpzIj48L3Njcmlw dD4KKyAgPHNjcmlwdCBzcmM9Ii9yZXNvdXJjZXMvdGVzdGhhcm5lc3NyZXBvcnQuanMiPjwvc2Ny aXB0PgorPC9oZWFkPgorPGJvZHk+CisgIDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij4K K3Byb21pc2VfdGVzdChhc3luYyAoKSA9PiB7CisgICAgY29uc3QgaGVhZGVycyA9IHsgIkF1dGhv cml6YXRpb24iOiAiQmFzaWMgIiArIGJ0b2EoInVzZXI6cGFzc3dvcmQiKX07CisgICAgY29uc3Qg cmVxdWVzdEluaXQgPSB7ImNyZWRlbnRpYWxzIjogImluY2x1ZGUiLCAiaGVhZGVycyI6IGhlYWRl cnN9OworICAgIGNvbnN0IGF1dGhVcmwgPSAnc2VjdXJlZHJlZGlyZWN0LnB5JzsKKyAgICBjb25z dCByZXNwb25zZSA9IGF3YWl0IGZldGNoKGF1dGhVcmwsIHJlcXVlc3RJbml0KTsKKyAgICBhc3Nl cnRfZXF1YWxzKGF3YWl0IHJlc3BvbnNlLnRleHQoKSwgImdvdCBhbiBhdXRob3JpemF0aW9uIGhl YWRlciIpOworfSwgIkF1dGhvcml6YXRpb24gaGVhZGVyIGFmdGVyIHJlZGlyZWN0aW9uIik7Cisg IDwvc2NyaXB0PgorPC9ib2R5PgorPC9odG1sPgpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvaW1w b3J0ZWQvdzNjL3dlYi1wbGF0Zm9ybS10ZXN0cy9mZXRjaC9hcGkvY3JlZGVudGlhbHMvc2VjdXJl ZHJlZGlyZWN0LnB5IGIvTGF5b3V0VGVzdHMvaW1wb3J0ZWQvdzNjL3dlYi1wbGF0Zm9ybS10ZXN0 cy9mZXRjaC9hcGkvY3JlZGVudGlhbHMvc2VjdXJlZHJlZGlyZWN0LnB5Cm5ldyBmaWxlIG1vZGUg MTAwNjQ0CmluZGV4IDAwMDAwMDAwMDAwMC4uOTBjYWU1NTAyYzI2Ci0tLSAvZGV2L251bGwKKysr IGIvTGF5b3V0VGVzdHMvaW1wb3J0ZWQvdzNjL3dlYi1wbGF0Zm9ybS10ZXN0cy9mZXRjaC9hcGkv Y3JlZGVudGlhbHMvc2VjdXJlZHJlZGlyZWN0LnB5CkBAIC0wLDAgKzEsOCBAQAorZGVmIG1haW4o cmVxdWVzdCwgcmVzcG9uc2UpOgorICAgIGlmIGIiYXV0aG9yaXphdGlvbiIgbm90IGluIHJlcXVl c3QuaGVhZGVyczoKKyAgICAgICAgcmVzcG9uc2Uuc3RhdHVzID0gNDAxCisgICAgICAgIHJlc3Bv bnNlLmhlYWRlcnMuc2V0KGIiV1dXLUF1dGhlbnRpY2F0ZSIsIGIiQmFzaWMiKQorICAgICAgICBy ZXR1cm4KKworICAgIHJlc3BvbnNlLnN0YXR1cyA9IDMwMQorICAgIHJlc3BvbnNlLmhlYWRlcnMu c2V0KGIiTG9jYXRpb24iLCBiInNlY3VyZWRyZXNvdXJjZS5weSIpCmRpZmYgLS1naXQgYS9MYXlv dXRUZXN0cy9pbXBvcnRlZC93M2Mvd2ViLXBsYXRmb3JtLXRlc3RzL2ZldGNoL2FwaS9jcmVkZW50 aWFscy9zZWN1cmVkcmVzb3VyY2UucHkgYi9MYXlvdXRUZXN0cy9pbXBvcnRlZC93M2Mvd2ViLXBs YXRmb3JtLXRlc3RzL2ZldGNoL2FwaS9jcmVkZW50aWFscy9zZWN1cmVkcmVzb3VyY2UucHkKbmV3 IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMDAwMDAwLi5jMWQyMzZjNDY2YjMKLS0tIC9k ZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9pbXBvcnRlZC93M2Mvd2ViLXBsYXRmb3JtLXRlc3Rz L2ZldGNoL2FwaS9jcmVkZW50aWFscy9zZWN1cmVkcmVzb3VyY2UucHkKQEAgLTAsMCArMSw1IEBA CitkZWYgbWFpbihyZXF1ZXN0LCByZXNwb25zZSk6CisgICAgaWYgYiJhdXRob3JpemF0aW9uIiBu b3QgaW4gcmVxdWVzdC5oZWFkZXJzOgorICAgICAgICByZXR1cm4gImdvdCBubyBhdXRob3JpemF0 aW9uIGhlYWRlciIKKworICAgIHJldHVybiAiZ290IGFuIGF1dGhvcml6YXRpb24gaGVhZGVyIgot LSAKMi4zMi4wIChBcHBsZSBHaXQtMTMyKQoK