Bug 8342
| Summary: | Synchronous XMLHttpRequest should ask for authentication credentials when necessary | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Mark Nottingham <mnot> |
| Component: | XML | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | ap, emacemac7, ian, jesse, mrowe, paroga, pmuellr, rik, sarahbrolley |
| Priority: | P2 | Keywords: | HasReduction, InRadar |
| Version: | 417.x | ||
| Hardware: | Mac | ||
| OS: | OS X 10.4 | ||
| URL: | http://www.mnot.net/javascript/xmlhttprequest/ | ||
| Bug Depends on: | |||
| Bug Blocks: | 10489 | ||
Mark Nottingham
Using XmlHttpRequest, if you access a HTTP authenticated resource (e.g., with Basic auth), and the credentials aren't already in the browser, WebKit will pop up an authentication dialog *if* the XmlHttpRequest is made asynchronously. However, it will not pop up a dialog if the XmlHttpRequest send is made synchronously; instead, it will return a -1012 status code.
This is inconsistent with other browsers, as well as being plain weird.
See http://www.mnot.net/javascript/xmlhttprequest/ ("Does unhandled authentication pop up a dialog?") for test code.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Jesse Costello-Good
I'm running 6 tests: {async, sync} x {correct name/pw, omit name/pw args, incorrect name/pw} and I get these results in IE6, Fx, and Safari nightly:
Sync Correct Sync Blank Sync Incorrect Async Correct Async Blank Async Incorrect
IE6 no yes no no yes no
Fx2 no yes yes no yes yes
Saf no no no no yes yes
Also testing with pre-authentication from http://www.mnot.net/javascript/xmlhttprequest/ I get:
Sync Pre-auth Async Pre-auth
IE6 no no
Fx2 no no
Saf no no
It would be nice if all browsers had an API for disabling the authentication dialog. Automated tests of XMLHttpRequest authentication are very difficult otherwise.
Alexey Proskuryakov
*** Bug 25076 has been marked as a duplicate of this bug. ***
Mark Rowe (bdash)
<rdar://problem/7347794>
Alexey Proskuryakov
*** Bug 37992 has been marked as a duplicate of this bug. ***
Patrick Mueller
Did a bit of trolling to see if I could find any simple issue to resolve with this. Ran into this:
in file WebCore/platform/network/mac/ResourceHandleMac.mm,
in class WebCoreSynchronousLoader,
in method connection:didReceiveAuthenticationChallenge:
at the bottom of the method:
// FIXME: The user should be asked for credentials, as in async case.
[[challenge sender] continueWithoutCredentialForAuthenticationChallenge:challenge];
Given the context, this looks like the right place to add the prompter.
Alexey Proskuryakov
The challenging part would be to ensure that JavaScript is fully suspended while the authentication sheet is displayed. Currently, we achieve that by running the loader with a custom run loop mode.
An auth sheet will allow user gestures, so the user could e.g. resize the window in the middle of JS execution, and of course there are all kinds of timers and other networking requests to suspend.