41217 2010-06-25 10:22:06 -0700 CORS XMLHttpRequest should log a detailed reason for failure when a security check fails 2010-07-02 17:29:08 -0700 1 1 1 Unclassified WebKit Web Inspector (Deprecated) 528+ (Nightly build) All All RESOLVED DUPLICATE 41156 P2 Normal --- 1 sng webkit-unassigned ap oldest_to_newest 243066 0 sng 2010-06-25 10:22:06 -0700 Steps: 1) Test Page with both IFRAME and XHR Request 2) From the IFRAME, log into the secure page with credentials (This will pop up dialog box asking for credentials) 3) Trigger XHR to be sent to the same secure page. WithCredentials Flag is true Packet Sequence: - HTTP GET to secure page -HTTP Response with 401, and the following headers: Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Credentials: True Access-Control-Allow-Headers: X-Requested-With Access-Control-Max-Age: 10 - HTTP GET to secure Page, using basic Authorization and the correct username/password used in step 2 for IFRAME log in - HTTP Response from Server with 200 (Log in success). Yet, I am getting a XMLHttpRequest Network Error 101 at the Javascript level. Status = 0 and responseText = ''. I can reproduce this on both Chrome and Safari. 243069 1 sng 2010-06-25 10:31:08 -0700 Just reproduced in both Sync and Async Request. Sync mode produces the 101 Error Async Mode the state just jumps right to 4 and returns blank responseText and status is 0 243120 2 ap 2010-06-25 12:15:07 -0700 Does this work in Firefox? > -HTTP Response with 401, and the following headers: Does the actual response have all the same headers, or only 401 does? Can you attach a packet trace, and the source of your client-side test? > Access-Control-Allow-Credentials: True Oh, and one more thing. We only support all-lowercase "true" here. I haven't checked the spec, maybe it's a bug. 243126 3 59787 sng 2010-06-25 12:21:16 -0700 Created attachment 59787 Packet Trace 243127 4 sng 2010-06-25 12:21:50 -0700 All responses have the same headers. I have updated the server to return all lower case "true" and still same result. 243161 5 ap 2010-06-25 13:12:44 -0700 > Oh, and one more thing. We only support all-lowercase "true" here. I haven't checked the spec, maybe it's a bug. That's correct behavior FWIW, CORS requires a case sensitive match for "true". > and the source of your client-side test Can you attach that? 243669 6 59896 sng 2010-06-28 05:54:53 -0700 Created attachment 59896 Client Side Test Page 243670 7 sng 2010-06-28 05:55:10 -0700 Client Side Test Pages Attach. Just replace with your own host name. 245524 8 ap 2010-07-01 13:47:24 -0700 This is correct behavior, wildcard origin is not allowed if withCredentials is true: <http://dev.w3.org/2006/waf/access-control/>, section 6.2: ------------------------------- The resource sharing check algorithm for a given resource is as follows: If the response includes zero or more than one Access-Control-Allow-Origin header values return fail and terminate this algorithm. If the Access-Control-Allow-Origin header value is the literal "*" character and the credentials flag is false return pass and terminate this algorithm. If the value of Access-Control-Allow-Origin is not a case-sensitive match for the value of the Origin header as defined by its specification return fail and terminate this algorithm. If the credentials flag is true and the response includes zero or more than one Access-Control-Allow-Credentials header values return fail and terminate this algorithm. If the credentials flag is true and the Access-Control-Allow-Credentials header value is not a case-sensitive match for "true" return fail and terminate this algorithm. Return pass. ------------------------------- Let's use this bug to track improved Web Inspector error logging. 245894 9 sng 2010-07-02 06:10:31 -0700 Thanks Alexey. I can get my tests to work. However, it seems on Safari whenever I sent Asynchronous Request with withCredentials=false it never works. (i.e. I get status = 0 and empty responseText). On Chrome everything is working as expected. 245922 10 ap 2010-07-02 08:39:29 -0700 > However, it seems on Safari Please file a new bug for that (again, attaching a packet trace and your test case). 246171 11 ap 2010-07-02 17:29:08 -0700 *** This bug has been marked as a duplicate of bug 41156 *** 59787 2010-06-25 12:21:16 -0700 2010-06-25 12:21:16 -0700 Packet Trace withcredentials.cap application/octet-stream 2959 sng R01CVQICAQDaBwYABQAZAAwAIQAIAFoCbwsAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAEriSdQIAAACIAAAAiAAAAAABAAAAAQADAAMGaQAAQwA6AFwAUAByAG8A ZwByAGEAbQAgAEYAaQBsAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0ACAATgBlAHQAdwBvAHIAawAg AE0AbwBuAGkAdABvAHIAIAAzAFwAbgBlAHQAbQBvAG4ALgBlAHgAZQAAAEgAVABUAFAAAAD///// //8SuJJ1AgAAADIBAAAyAQAAAAEAAQAATABvAGMAYQBsACAAQQByAGUAYQAgAEMAbwBuAG4AZQBj AHQAaQBvAG4AAABWAE0AdwBhAHIAZQAgAEEAYwBjAGUAbABlAHIAYQB0AGUAZAAgAEEATQBEACAA UABDAE4AZQB0ACAAQQBkAGEAcAB0AGUAcgAgAC0AIABUAGUAZQBmAGUAcgAyACAATQBpAG4AaQBw AG8AcgB0AAAAewAzAEEAOAA2AEEAMgBCADYALQA1ADcAMwAyAC0ANAA3AEUAMwAtADkAMAA1AEEA LQA5ADYANwA3ADIAMwBFADUANQAwADYAOQB9AAAAAAAABgAAAAAAAAAAO5rKAABQVo0fqAABAAAA AQABAAQAAAqHzRj///8ACofNAQqHZGQKhmRkCoZkFQpmZGQKQB9k+///////ZH3fdQIAAAAuAgAA LgIAAABQVo0fqAAiVcdLfwgARQACIE5BQAB9BqM9CokoMQqHzRgGWwBQylPwxudpgptQGP///6QA AEdFVCAvY29ycy9zZWN1cmUucGhwIEhUVFAvMS4xDQpIb3N0OiBiZHQxMS12bXl5ei5sYWJ5eXou dGVzdG5ldC5yaW0ubmV0DQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2lu ZG93cyBOVCA1LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzMuMTYgKEtIVE1MLCBsaWtlIEdlY2tv KSBWZXJzaW9uLzUuMCBTYWZhcmkvNTMzLjE2DQpBdXRob3JpemF0aW9uOiBCYXNpYyBkWE5sY2pw d1lYTnpkMjl5WkE9PQ0KQWNjZXB0OiBhcHBsaWNhdGlvbi94bWwsYXBwbGljYXRpb24veGh0bWwr eG1sLHRleHQvaHRtbDtxPTAuOSx0ZXh0L3BsYWluO3E9MC44LGltYWdlL3BuZywqLyo7cT0wLjUN ClJlZmVyZXI6IGh0dHA6Ly9hdGcwNS15eXoucmltLm5ldC9odG1sNS94aHJtYW51YWwvY29yc3dp dGhjcmVkZW50aWFscy90ZXN0Lmh0bQ0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUw0KQWNjZXB0LUVu Y29kaW5nOiBnemlwLCBkZWZsYXRlDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCgEA/////2R9 33UCAAAA0gEAANIBAAAAAAwHrM0AUFaNH6gIAEUAAcQXUEAAgAbXigqHzRgKiSgxAFAGW+dpgpvK U/K+UBj4+AwQAABIVFRQLzEuMSAyMDAgT0sNCkNvbm5lY3Rpb246IGNsb3NlDQpEYXRlOiBGcmks IDI1IEp1biAyMDEwIDE5OjI5OjE1IEdNVA0KU2VydmVyOiBNaWNyb3NvZnQtSUlTLzYuMA0KTWlj cm9zb2Z0T2ZmaWNlV2ViU2VydmVyOiA1LjBfUHViDQpYLVBvd2VyZWQtQnk6IEFTUC5ORVQNClgt UG93ZXJlZC1CeTogUEhQLzUuMi4xMw0KQWNjZXNzLUNvbnRyb2wtQWxsb3ctT3JpZ2luOiAqDQpB Y2Nlc3MtQ29udHJvbC1BbGxvdy1NZXRob2RzOiBHRVQsIFBPU1QsIE9QVElPTlMNCkFjY2Vzcy1D b250cm9sLUFsbG93LUNyZWRlbnRpYWxzOiB0cnVlDQpBY2Nlc3MtQ29udHJvbC1BbGxvdy1IZWFk ZXJzOiBYLVJlcXVlc3RlZC1XaXRoDQpBY2Nlc3MtQ29udHJvbC1NYXgtQWdlOiA4NjQwMA0KQ29u dGVudC10eXBlOiB0ZXh0L2h0bWwNCg0KAQD/////ZH3fdQIAAAB5AAAAeQAAAAAADAeszQBQVo0f qAgARQAAaxdRQACABtjiCofNGAqJKDEAUAZb52mEN8pT8r5QGPj4CrcAADxwPkhlbGxvIHVzZXIu PC9wPjxwPllvdSBlbnRlcmVkICdwYXNzd29yZCcgYXMgeW91ciBwYXNzd29yZC48L3A+DQoBAP// //8RM/91AgAAAPkBAAD5AQAAAFBWjR+oACJVx0t/CABFAAHrTktAAH0Go2gKiSgxCofNGAZcAFAS ZMY0cbZ2eVAY//+2mgAAR0VUIC9jb3JzL3NlY3VyZS5waHAgSFRUUC8xLjENCkhvc3Q6IGJkdDEx LXZteXl6LmxhYnl5ei50ZXN0bmV0LnJpbS5uZXQNClJlZmVyZXI6IGh0dHA6Ly9hdGcwNS15eXou cmltLm5ldC9odG1sNS94aHJtYW51YWwvY29yc3dpdGhjcmVkZW50aWFscy90ZXN0Lmh0bQ0KQWNj ZXB0OiAqLyoNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMNCk9yaWdpbjogaHR0cDovL2F0ZzA1LXl5 ei5yaW0ubmV0DQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBO VCA1LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzMuMTYgKEtIVE1MLCBsaWtlIEdlY2tvKSBWZXJz aW9uLzUuMCBTYWZhcmkvNTMzLjE2DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUNCkF1 dGhvcml6YXRpb246IEJhc2ljIGRYTmxjanB3WVhOemQyOXlaQT09DQpDb25uZWN0aW9uOiBrZWVw LWFsaXZlDQoNCgEA/////xpw/3UCAAAA0gEAANIBAAAAAAwHrM0AUFaNH6gIAEUAAcQXV0AAgAbX gwqHzRgKiSgxAFAGXHG2dnkSZMf3UBj5LQwQAABIVFRQLzEuMSAyMDAgT0sNCkNvbm5lY3Rpb246 IGNsb3NlDQpEYXRlOiBGcmksIDI1IEp1biAyMDEwIDE5OjI5OjE3IEdNVA0KU2VydmVyOiBNaWNy b3NvZnQtSUlTLzYuMA0KTWljcm9zb2Z0T2ZmaWNlV2ViU2VydmVyOiA1LjBfUHViDQpYLVBvd2Vy ZWQtQnk6IEFTUC5ORVQNClgtUG93ZXJlZC1CeTogUEhQLzUuMi4xMw0KQWNjZXNzLUNvbnRyb2wt QWxsb3ctT3JpZ2luOiAqDQpBY2Nlc3MtQ29udHJvbC1BbGxvdy1NZXRob2RzOiBHRVQsIFBPU1Qs IE9QVElPTlMNCkFjY2Vzcy1Db250cm9sLUFsbG93LUNyZWRlbnRpYWxzOiB0cnVlDQpBY2Nlc3Mt Q29udHJvbC1BbGxvdy1IZWFkZXJzOiBYLVJlcXVlc3RlZC1XaXRoDQpBY2Nlc3MtQ29udHJvbC1N YXgtQWdlOiA4NjQwMA0KQ29udGVudC10eXBlOiB0ZXh0L2h0bWwNCg0KAQD/////GnD/dQIAAAB5 AAAAeQAAAAAADAeszQBQVo0fqAgARQAAaxdYQACABtjbCofNGAqJKDEAUAZccbZ4FRJkx/dQGPkt CrcAADxwPkhlbGxvIHVzZXIuPC9wPjxwPllvdSBlbnRlcmVkICdwYXNzd29yZCcgYXMgeW91ciBw YXNzd29yZC48L3A+DQoBAP////9IAAAA5gAAAC4CAAByBAAAWgYAAOkGAAD4CAAA4AoAAA== 59896 2010-06-28 05:54:53 -0700 2010-06-28 05:54:53 -0700 Client Side Test Page test.htm text/html 2079 sng 77u/PCFET0NUWVBFIEhUTUw+DQo8aHRtbD4NCiA8aGVhZD4NCiAgPHRpdGxlPkNPUlMgV2l0aENy ZWRlbnRpYWxzIEV2ZW50IHRlc3Rpbmc8L3RpdGxlPg0KIDwvaGVhZD4NCiA8Ym9keT4NCiAgPGlu cHV0IGlkPSJCdXR0b24xIiB0eXBlPSJidXR0b24iIHZhbHVlPSJTeW5jV2l0aENyZWRlbnRpYWxz IiBvbmNsaWNrPSJ5ZXNUZXN0KCkiIC8+DQogIDxpbnB1dCBpZD0iQnV0dG9uMiIgdHlwZT0iYnV0 dG9uIiB2YWx1ZT0iU3luY1dpdGhOb0NyZWRlbnRpYWxzIiBvbmNsaWNrPSJub1Rlc3QoKSIgLz4N CiAgPGlucHV0IGlkPSJCdXR0b24zIiB0eXBlPSJidXR0b24iIHZhbHVlPSJBc3luY1dpdGhDcmVk ZW50aWFscyIgb25jbGljaz0ieWVzYVRlc3QoKSIgLz4NCiAgPGlucHV0IGlkPSJCdXR0b240IiB0 eXBlPSJidXR0b24iIHZhbHVlPSJBc3luY1dpdGhOb0NyZWRlbnRpYWxzIiBvbmNsaWNrPSJub2FU ZXN0KCkiIC8+DQogIDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij4NCiAgIA0KICAgZnVu Y3Rpb24geWVzVGVzdCgpIHsNCiAgICAgICB2YXIgeGhyID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7 DQogICAgICAgDQogICAgICAgeGhyLm9wZW4oJ0dFVCcsICdodHRwOi8vYmR0MTEtdm15eXoubGFi eXl6LnRlc3RuZXQucmltLm5ldC9jb3JzL3NlY3VyZS5waHAnLCBmYWxzZSk7DQogICAgICAgeGhy LndpdGhDcmVkZW50aWFscyA9IHRydWU7DQogICAgICAgdHJ5IHsNCiAgICAgICAgICAgeGhyLnNl bmQoKTsNCiAgICAgICB9IGNhdGNoKGVycikgew0KICAgICAgICAgICBhbGVydChlcnIpOw0KICAg ICAgIH0NCiAgICAgICBhbGVydCh4aHIucmVzcG9uc2VUZXh0KTsNCiAgIH0NCg0KICAgZnVuY3Rp b24gbm9UZXN0KCkgew0KICAgICAgIHZhciB4aHIgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTsNCiAg ICAgICANCiAgICAgICB4aHIub3BlbignR0VUJywgJ2h0dHA6Ly9iZHQxMS12bXl5ei5sYWJ5eXou dGVzdG5ldC5yaW0ubmV0L2NvcnMvc2VjdXJlLnBocCcsIGZhbHNlKTsNCiAgICAgICB0cnkgew0K ICAgICAgICAgICB4aHIuc2VuZCgpOw0KICAgICAgIH0gY2F0Y2goZXJyKSB7DQogICAgICAgICAg IGFsZXJ0KGVycik7DQogICAgICAgfQ0KICAgICAgIGFsZXJ0KHhoci5yZXNwb25zZVRleHQpOw0K ICAgfQ0KDQogICBmdW5jdGlvbiB5ZXNhVGVzdCgpIHsNCiAgICAgICB2YXIgeGhyID0gbmV3IFhN TEh0dHBSZXF1ZXN0KCk7DQogICAgICAgDQogICAgICAgeGhyLm9wZW4oJ0dFVCcsICdodHRwOi8v YmR0MTEtdm15eXoubGFieXl6LnRlc3RuZXQucmltLm5ldC9jb3JzL3NlY3VyZS5waHAnKTsNCiAg ICAgICB4aHIud2l0aENyZWRlbnRpYWxzID0gdHJ1ZTsNCiAgICAgICB4aHIub25yZWFkeXN0YXRl Y2hhbmdlID0gZnVuY3Rpb24oKSB7DQogICAgICAgICAgIGlmICggeGhyLnJlYWR5U3RhdGUgPT0g NCApIHsNCiAgICAgICAgICAgICAgIGFsZXJ0KHhoci5yZXNwb25zZVRleHQpOw0KICAgICAgICAg ICB9DQogICAgICAgfQ0KICAgICAgIHhoci5zZW5kKCk7DQogICB9DQoNCiAgIGZ1bmN0aW9uIG5v YVRlc3QoKSB7DQogICAgICAgdmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpOw0KICAgICAg IA0KICAgICAgIHhoci5vcGVuKCdHRVQnLCAnaHR0cDovL2JkdDExLXZteXl6LmxhYnl5ei50ZXN0 bmV0LnJpbS5uZXQvY29ycy9zZWN1cmUucGhwJyk7DQogICAgICAgeGhyLm9ucmVhZHlzdGF0ZWNo YW5nZSA9IGZ1bmN0aW9uKCkgew0KICAgICAgICAgICBpZiAoIHhoci5yZWFkeVN0YXRlID09IDQg KSB7DQogICAgICAgICAgICAgICBhbGVydCh4aHIucmVzcG9uc2VUZXh0KTsNCiAgICAgICAgICAg fQ0KICAgICAgIH0NCiAgICAgICB4aHIuc2VuZCgpOw0KICAgfQ0KICA8L3NjcmlwdD4NCiA8L2Jv ZHk+DQogPGlmcmFtZSBuYW1lPSJGUkFNRU5BTUUiIHNyYz0iaHR0cDovL2JkdDExLXZteXl6Lmxh Ynl5ei50ZXN0bmV0LnJpbS5uZXQvY29ycy9zZWN1cmUucGhwIiB3aWR0aD0iMTAwIiBoZWlnaHQ9 IjI4MCIgZnJhbWVib3JkZXI9IjEiIHNjcm9sbGluZz0ibm8iIGFsbG93YXV0b3RyYW5zcGFyZW5j eT10cnVlPjwvaWZyYW1lPg0KPC9odG1sPg0K