Bug 13075 - XMLHttpRequest with failed authentication should set status to 401
: XMLHttpRequest with failed authentication should set status to 401
Status: RESOLVED FIXED
Product: WebKit
Classification: Unclassified
Component: XML
: 523.x (Safari 3)
: Macintosh Mac OS X 10.4
: P2 Normal
Assigned To: Alexey Proskuryakov
:
Depends on: 14704
Blocks: 10489 6871
  Show dependency treegraph
 
Reported: 2007-03-14 14:13 PDT by Jesse Costello-Good
Modified: 2010-07-12 09:59 PDT (History)
2 users (show)

See Also:


Attachments
test case (1.10 KB, text/html)
2007-07-05 11:55 PDT, Alexey Proskuryakov
no flags Details
proposed fix (11.87 KB, patch)
2010-07-09 17:44 PDT, Alexey Proskuryakov
darin: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jesse Costello-Good 2007-03-14 14:13:21 PDT
The current behavior is to throw an error (NETWORK_ERR: XMLHttpRequest Exception 101) for synchronous requests and set the status to 0 for asynchronous requests.

IE and Fx both correctly set the status to 401 for both synchronous and asynchronous requests.
Comment 1 Alexey Proskuryakov 2007-03-15 04:54:41 PDT
Could you please provide a test case? I did not see this behavior when I was testing autentication in XHR, so I was probably doing something differently.
Comment 2 Jesse Costello-Good 2007-03-15 08:18:14 PDT
Here's 4:

var r = new XMLHttpRequest();
r.open("GET", "http://gi.tibco.com/tests/auth2/data1.xml", false);
r.send();
assertEquals(401, r.status);

var r = new XMLHttpRequest();
r.open("GET", "http://gi.tibco.com/tests/auth2/data1.xml", false, "badname", "passpw");
r.send();
assertEquals(401, r.status);

var r = new XMLHttpRequest();
r.open("GET", "http://gi.tibco.com/tests/auth2/data1.xml", true);
r.onreadystatechange = function() {
  if (r.readyState == 4) {
    assertEquals(401, r.status);
  }
};
r.send();

var r = new XMLHttpRequest();
r.open("GET", "http://gi.tibco.com/tests/auth2/data1.xml", true, "badname", "passpw");
r.onreadystatechange = function() {
  if (r.readyState == 4) {
    assertEquals(401, r.status);
  }
};
r.send();
Comment 3 Alexey Proskuryakov 2007-07-05 11:54:27 PDT
Confirmed with r23984.

Please note that the current draft of XMLHttpRequest spec just says that "If authentication fails, user agents should prompt the users for credentials." It probably needs to say that the user can be asked for credentials only once, and if that doesn't help, the 401 response is returned.
Comment 4 Alexey Proskuryakov 2007-07-05 11:55:23 PDT
Created attachment 15402 [details]
test case

A test case that works from LayoutTests/http/tests/xmlhttprequest.
Comment 5 Alexey Proskuryakov 2007-07-30 11:34:31 PDT
The sync (regression) part was fixed in bug 14704. A commented out test for the async case can be found in http/tests/xmlhttprequest/failed-auth.html.
Comment 6 Alexey Proskuryakov 2010-07-09 17:44:28 PDT
Created attachment 61123 [details]
proposed fix
Comment 7 Alexey Proskuryakov 2010-07-12 09:59:33 PDT
Fixed on Mac in <http://trac.webkit.org/changeset/63095>. A Windows Safari fix is in closed source code.

The fix was to change what happens when the user cancels authentication sheet. Please file new bugs for other aspects that may be still wrong.