Bug 41531

Summary:

Asynchronous cross origin XMLHttpRequest doesn't expose 401 response when withCredentials is false

Product:

WebKit

Reporter:

Stuart Ng <sng>

Component:

XML

Assignee:

Alexey Proskuryakov <ap>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, dglazkov, webkit.review.bot

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Packet Trace of this transaction	none
Test Page on Client Side.	none
proposed fix	beidson: review+

Description Stuart Ng 2010-07-02 12:33:21 PDT

Created attachment 60387 [details]
Packet Trace of this transaction

- Test Scenario:

- Try to do HTTP GET to a secure webpage
- Server sends back 401
- Since withCredentials is false, no credentials are sent back.

- I would expect a 401 error to be the final result, (I.e. failed to log in)
- Instead, a get a Network Error 101 and xhr.status = 0.

- This only happens on Safari. ON Chrome I am getting status 401 as expected.

Comment 1 Stuart Ng 2010-07-02 12:34:29 PDT

Created attachment 60389 [details]
Test Page on Client Side.

Comment 2 Alexey Proskuryakov 2010-07-09 16:43:13 PDT

I'm seeing the same behavior in Firefox. But Firefox also doesn't let the sync request response through. Does that match your results?

The code that implements this behavior is in DocumentThreadableLoader::didReceiveAuthenticationChallenge().

Comment 3 Alexey Proskuryakov 2010-07-19 15:21:40 PDT

Created attachment 61999 [details]
proposed fix

Comment 4 WebKit Review Bot 2010-07-19 16:09:44 PDT

Attachment 61999 [details] did not build on chromium:
Build output: http://queues.webkit.org/results/3564261

Comment 5 Brady Eidson 2010-07-20 12:21:28 PDT

Comment on attachment 61999 [details]
proposed fix

> Index: WebCore/ChangeLog
> ===================================================================
> +
> +        * loader/DocumentThreadableLoader.cpp:
> +        (WebCore::DocumentThreadableLoader::didReceiveAuthenticationChallenge): Instead of canceling
> +        the request, continue withotu credentials - if the platform has a necessary method on
> +        ResourceHandle.

typo "withotu"

> +
> +        * loader/SubresourceLoader.cpp:
> +        (WebCore::SubresourceLoader::didReceiveAuthenticationChallenge): Don't ask resource laoder
> +        client for credentials if subresource laoder client already resolved those.

typo "laoder"

Otherwise seems fine!

Comment 6 Alexey Proskuryakov 2010-07-20 12:49:07 PDT

Committed <http://trac.webkit.org/changeset/63766>.

Comment 7 Darin Adler 2010-07-20 16:24:18 PDT

Comment on attachment 61999 [details]
proposed fix

> +#if PLATFORM(MAC) || USE(CFNETWORK) || USE(CURL)
> +        loader->handle()->receivedRequestToContinueWithoutCredential(challenge);

Seems to me that this should be an #if that's tied to the implementation more directly -- in the ResourceHandle.h header. It seems strange to have the list of platforms here inside a file using the class rather than where the function is defined.

Comment 8 Alexey Proskuryakov 2010-08-09 07:41:18 PDT

https://bugzilla.mozilla.org/show_bug.cgi?id=580353