Bug 13075 - XMLHttpRequest with failed authentication should set status to 401
: XMLHttpRequest with failed authentication should set status to 401
Status: RESOLVED FIXED
: WebKit
XML
: 523.x (Safari 3)
: Macintosh Mac OS X 10.4
: P2 Normal
Assigned To:
:
:
: 14704
: 6871 10489
  Show dependency treegraph
 
Reported: 2007-03-14 14:13 PST by
Modified: 2010-07-12 09:59 PST (History)


Attachments
test case (1.10 KB, text/html)
2007-07-05 11:55 PST, Alexey Proskuryakov
no flags Details
proposed fix (11.87 KB, patch)
2010-07-09 17:44 PST, Alexey Proskuryakov
darin: review+
Review Patch | Details | Formatted Diff | Diff


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2007-03-14 14:13:21 PST
The current behavior is to throw an error (NETWORK_ERR: XMLHttpRequest Exception 101) for synchronous requests and set the status to 0 for asynchronous requests.

IE and Fx both correctly set the status to 401 for both synchronous and asynchronous requests.
------- Comment #1 From 2007-03-15 04:54:41 PST -------
Could you please provide a test case? I did not see this behavior when I was testing autentication in XHR, so I was probably doing something differently.
------- Comment #2 From 2007-03-15 08:18:14 PST -------
Here's 4:

var r = new XMLHttpRequest();
r.open("GET", "http://gi.tibco.com/tests/auth2/data1.xml", false);
r.send();
assertEquals(401, r.status);

var r = new XMLHttpRequest();
r.open("GET", "http://gi.tibco.com/tests/auth2/data1.xml", false, "badname", "passpw");
r.send();
assertEquals(401, r.status);

var r = new XMLHttpRequest();
r.open("GET", "http://gi.tibco.com/tests/auth2/data1.xml", true);
r.onreadystatechange = function() {
  if (r.readyState == 4) {
    assertEquals(401, r.status);
  }
};
r.send();

var r = new XMLHttpRequest();
r.open("GET", "http://gi.tibco.com/tests/auth2/data1.xml", true, "badname", "passpw");
r.onreadystatechange = function() {
  if (r.readyState == 4) {
    assertEquals(401, r.status);
  }
};
r.send();
------- Comment #3 From 2007-07-05 11:54:27 PST -------
Confirmed with r23984.

Please note that the current draft of XMLHttpRequest spec just says that "If authentication fails, user agents should prompt the users for credentials." It probably needs to say that the user can be asked for credentials only once, and if that doesn't help, the 401 response is returned.
------- Comment #4 From 2007-07-05 11:55:23 PST -------
Created an attachment (id=15402) [details]
test case

A test case that works from LayoutTests/http/tests/xmlhttprequest.
------- Comment #5 From 2007-07-30 11:34:31 PST -------
The sync (regression) part was fixed in bug 14704. A commented out test for the async case can be found in http/tests/xmlhttprequest/failed-auth.html.
------- Comment #6 From 2010-07-09 17:44:28 PST -------
Created an attachment (id=61123) [details]
proposed fix
------- Comment #7 From 2010-07-12 09:59:33 PST -------
Fixed on Mac in <http://trac.webkit.org/changeset/63095>. A Windows Safari fix is in closed source code.

The fix was to change what happens when the user cancels authentication sheet. Please file new bugs for other aspects that may be still wrong.