Summary: | Asynchronous cross origin XMLHttpRequest doesn't expose 401 response when withCredentials is false | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Stuart Ng <sng> | ||||||||
Component: | XML | Assignee: | Alexey Proskuryakov <ap> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | Normal | CC: | ap, dglazkov, webkit.review.bot | ||||||||
Priority: | P2 | ||||||||||
Version: | 528+ (Nightly build) | ||||||||||
Hardware: | All | ||||||||||
OS: | All | ||||||||||
Attachments: |
|
Created attachment 60389 [details]
Test Page on Client Side.
I'm seeing the same behavior in Firefox. But Firefox also doesn't let the sync request response through. Does that match your results? The code that implements this behavior is in DocumentThreadableLoader::didReceiveAuthenticationChallenge(). Created attachment 61999 [details]
proposed fix
Attachment 61999 [details] did not build on chromium: Build output: http://queues.webkit.org/results/3564261 Comment on attachment 61999 [details] proposed fix > Index: WebCore/ChangeLog > =================================================================== > + > + * loader/DocumentThreadableLoader.cpp: > + (WebCore::DocumentThreadableLoader::didReceiveAuthenticationChallenge): Instead of canceling > + the request, continue withotu credentials - if the platform has a necessary method on > + ResourceHandle. typo "withotu" > + > + * loader/SubresourceLoader.cpp: > + (WebCore::SubresourceLoader::didReceiveAuthenticationChallenge): Don't ask resource laoder > + client for credentials if subresource laoder client already resolved those. typo "laoder" Otherwise seems fine! Committed <http://trac.webkit.org/changeset/63766>. Comment on attachment 61999 [details] proposed fix > +#if PLATFORM(MAC) || USE(CFNETWORK) || USE(CURL) > + loader->handle()->receivedRequestToContinueWithoutCredential(challenge); Seems to me that this should be an #if that's tied to the implementation more directly -- in the ResourceHandle.h header. It seems strange to have the list of platforms here inside a file using the class rather than where the function is defined. |
Created attachment 60387 [details] Packet Trace of this transaction - Test Scenario: - Try to do HTTP GET to a secure webpage - Server sends back 401 - Since withCredentials is false, no credentials are sent back. - I would expect a 401 error to be the final result, (I.e. failed to log in) - Instead, a get a Network Error 101 and xhr.status = 0. - This only happens on Safari. ON Chrome I am getting status 401 as expected.