Summary: | Synchronous XMLHttpRequest should ask for authentication credentials when necessary | ||
---|---|---|---|
Product: | WebKit | Reporter: | Mark Nottingham <mnot> |
Component: | XML | Assignee: | Nobody <webkit-unassigned> |
Status: | NEW --- | ||
Severity: | Normal | CC: | ap, emacemac7, ian, jesse, mrowe, paroga, pmuellr, rik, sarahbrolley |
Priority: | P2 | Keywords: | HasReduction, InRadar |
Version: | 417.x | ||
Hardware: | Mac | ||
OS: | OS X 10.4 | ||
URL: | http://www.mnot.net/javascript/xmlhttprequest/ | ||
Bug Depends on: | |||
Bug Blocks: | 10489 |
Description
Mark Nottingham
2006-04-12 13:26:15 PDT
I'm running 6 tests: {async, sync} x {correct name/pw, omit name/pw args, incorrect name/pw} and I get these results in IE6, Fx, and Safari nightly: Sync Correct Sync Blank Sync Incorrect Async Correct Async Blank Async Incorrect IE6 no yes no no yes no Fx2 no yes yes no yes yes Saf no no no no yes yes Also testing with pre-authentication from http://www.mnot.net/javascript/xmlhttprequest/ I get: Sync Pre-auth Async Pre-auth IE6 no no Fx2 no no Saf no no It would be nice if all browsers had an API for disabling the authentication dialog. Automated tests of XMLHttpRequest authentication are very difficult otherwise. *** Bug 25076 has been marked as a duplicate of this bug. *** *** Bug 37992 has been marked as a duplicate of this bug. *** Did a bit of trolling to see if I could find any simple issue to resolve with this. Ran into this: in file WebCore/platform/network/mac/ResourceHandleMac.mm, in class WebCoreSynchronousLoader, in method connection:didReceiveAuthenticationChallenge: at the bottom of the method: // FIXME: The user should be asked for credentials, as in async case. [[challenge sender] continueWithoutCredentialForAuthenticationChallenge:challenge]; Given the context, this looks like the right place to add the prompter. The challenging part would be to ensure that JavaScript is fully suspended while the authentication sheet is displayed. Currently, we achieve that by running the loader with a custom run loop mode. An auth sheet will allow user gestures, so the user could e.g. resize the window in the middle of JS execution, and of course there are all kinds of timers and other networking requests to suspend. |