Bug 179422 - [Fetch API] Missing authentication header for POST requests
Summary: [Fetch API] Missing authentication header for POST requests
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit API (show other bugs)
Version: Safari 11
Hardware: Mac macOS 10.12
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-08 03:15 PST by Chris Matheson
Modified: 2017-11-08 08:44 PST (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Matheson 2017-11-08 03:15:19 PST 
Safari:  11.0.1
OS Version: OS X 10.12.6
URLs (if applicable) :
Other browsers tested:
  Chrome Version 61.0.3163.100: FAIL
  Firefox 56.0b3 (64-bit): OK

What steps will reproduce the problem?
1. use HTTP basic auth with browser handled authentication (www-authenticate)
2. make a POST request to the same origin (https) with credentials: 'include' or credentials: 'same-origin'
E.G. fetch("/some-path", {headers: {"Content-Type": "application/json", Accept: "application/json"}, credentials: "same-origin", method: "POST", body: "{}"})
3. inspect request for presence of Authorisation header

What is the expected result?

Expect the browser to add the Header to the outgoing request

What happens instead of that?

Header is not present


Please provide any additional information below. Attach a screenshot if
possible.

I initially raised this against the spec as i wasn't sure if it was specified behaviour or not. https://github.com/whatwg/fetch/issues/628#issuecomment-342555664

However I've been advised that this is a bug in the browser and it *should* have added the header



Also filed against chrome at: https://bugs.chromium.org/p/chromium/issues/detail?id=782621