Bug 41531

Summary: Asynchronous cross origin XMLHttpRequest doesn't expose 401 response when withCredentials is false
Product: WebKit Reporter: Stuart Ng <sng>
Component: XMLAssignee: Alexey Proskuryakov <ap>
Severity: Normal CC: ap, dglazkov, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Description Flags
Packet Trace of this transaction
Test Page on Client Side.
proposed fix beidson: review+

Description Stuart Ng 2010-07-02 12:33:21 PDT
Created attachment 60387 [details]
Packet Trace of this transaction

- Test Scenario:

- Try to do HTTP GET to a secure webpage
- Server sends back 401
- Since withCredentials is false, no credentials are sent back.

- I would expect a 401 error to be the final result, (I.e. failed to log in)
- Instead, a get a Network Error 101 and xhr.status = 0.

- This only happens on Safari. ON Chrome I am getting status 401 as expected.
Comment 1 Stuart Ng 2010-07-02 12:34:29 PDT
Created attachment 60389 [details]
Test Page on Client Side.
Comment 2 Alexey Proskuryakov 2010-07-09 16:43:13 PDT
I'm seeing the same behavior in Firefox. But Firefox also doesn't let the sync request response through. Does that match your results?

The code that implements this behavior is in DocumentThreadableLoader::didReceiveAuthenticationChallenge().
Comment 3 Alexey Proskuryakov 2010-07-19 15:21:40 PDT
Created attachment 61999 [details]
proposed fix
Comment 4 WebKit Review Bot 2010-07-19 16:09:44 PDT
Attachment 61999 [details] did not build on chromium:
Build output: http://queues.webkit.org/results/3564261
Comment 5 Brady Eidson 2010-07-20 12:21:28 PDT
Comment on attachment 61999 [details]
proposed fix

> Index: WebCore/ChangeLog
> ===================================================================
> +
> +        * loader/DocumentThreadableLoader.cpp:
> +        (WebCore::DocumentThreadableLoader::didReceiveAuthenticationChallenge): Instead of canceling
> +        the request, continue withotu credentials - if the platform has a necessary method on
> +        ResourceHandle.

typo "withotu"

> +
> +        * loader/SubresourceLoader.cpp:
> +        (WebCore::SubresourceLoader::didReceiveAuthenticationChallenge): Don't ask resource laoder
> +        client for credentials if subresource laoder client already resolved those.

typo "laoder"

Otherwise seems fine!
Comment 6 Alexey Proskuryakov 2010-07-20 12:49:07 PDT
Committed <http://trac.webkit.org/changeset/63766>.
Comment 7 Darin Adler 2010-07-20 16:24:18 PDT
Comment on attachment 61999 [details]
proposed fix

> +        loader->handle()->receivedRequestToContinueWithoutCredential(challenge);

Seems to me that this should be an #if that's tied to the implementation more directly -- in the ResourceHandle.h header. It seems strange to have the list of platforms here inside a file using the class rather than where the function is defined.
Comment 8 Alexey Proskuryakov 2010-08-09 07:41:18 PDT