RESOLVED FIXED189057
[Curl] Stop sending request with credential if no authorization requested. 
https://bugs.webkit.org/show_bug.cgi?id=189057
Summary [Curl] Stop sending request with credential if no authorization requested.
Basuke Suzuki
Reported 2018-08-28 14:32:27 PDT
When 401 response returns without 'www-authenticate' header, suppress another request with credential.
Attachments
PATCH (5.30 KB, patch)
2018-08-28 15:14 PDT, Basuke Suzuki 		achristensen: review-
achristensen: commit-queue-
DetailsFormatted DiffDiff
PATCH (6.56 KB, patch)
2018-09-06 12:30 PDT, Basuke Suzuki 		no flags
DetailsFormatted DiffDiff
Fix tests to be run after onload. (6.62 KB, patch)
2018-09-07 15:23 PDT, Basuke Suzuki 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Basuke Suzuki
Comment 1 2018-08-28 15:14:44 PDT
Created attachment 348350 [details] PATCH
Fujii Hironori
Comment 2 2018-09-04 20:51:11 PDT
Comment on attachment 348350 [details] PATCH View in context: https://bugs.webkit.org/attachment.cgi?id=348350&action=review > LayoutTests/ChangeLog:9 > + * http/tests/xmlhttprequest/unauthorized-without-authenticate-header.php: Added. I can't understand what does this test case do. Why don't you check whether Authorization header is sent? > LayoutTests/http/tests/xmlhttprequest/unauthorized-without-authenticate-header.php:21 > + req.open("GET", "<?php echo basename(__FILE__) . '?auth=1'; ?>", false); I prefer using JS API to get current URL instead of PHP. window.location.href
Basuke Suzuki
Comment 3 2018-09-04 23:54:05 PDT
(In reply to Fujii Hironori from comment #2) > Comment on attachment 348350 [details] > PATCH > > View in context: > https://bugs.webkit.org/attachment.cgi?id=348350&action=review > > > LayoutTests/ChangeLog:9 > > + * http/tests/xmlhttprequest/unauthorized-without-authenticate-header.php: Added. > > I can't understand what does this test case do. > Why don't you check whether Authorization header is sent? The browser behaves differently whether authorization exists or not. > > > LayoutTests/http/tests/xmlhttprequest/unauthorized-without-authenticate-header.php:21 > > + req.open("GET", "<?php echo basename(__FILE__) . '?auth=1'; ?>", false); > > I prefer using JS API to get current URL instead of PHP. > window.location.href I don't agree with that, but I can change as you wish if that is the requirement of reviewing.
Fujii Hironori
Comment 4 2018-09-05 20:10:10 PDT
(In reply to Basuke Suzuki from comment #3) > > I can't understand what does this test case do. > > Why don't you check whether Authorization header is sent? > > The browser behaves differently whether authorization exists or not. I don't understand this. Authorization is a request header sent by clients (browsers). > > > LayoutTests/http/tests/xmlhttprequest/unauthorized-without-authenticate-header.php:21 > > > + req.open("GET", "<?php echo basename(__FILE__) . '?auth=1'; ?>", false); > > > > I prefer using JS API to get current URL instead of PHP. > > window.location.href > > I don't agree with that, but I can change as you wish if that is the > requirement of reviewing. Mixing JS and PHP makes code ugly. I think you can write as following in this case. > req.open("GET", '?auth=1', false);
Basuke Suzuki
Comment 5 2018-09-06 11:08:29 PDT
(In reply to Fujii Hironori from comment #4) > (In reply to Basuke Suzuki from comment #3) > > > I can't understand what does this test case do. > > > Why don't you check whether Authorization header is sent? > > > > The browser behaves differently whether authorization exists or not. > > I don't understand this. > Authorization is a request header sent by clients (browsers). > > > > > LayoutTests/http/tests/xmlhttprequest/unauthorized-without-authenticate-header.php:21 > > > > + req.open("GET", "<?php echo basename(__FILE__) . '?auth=1'; ?>", false); > > > > > > I prefer using JS API to get current URL instead of PHP. > > > window.location.href > > > > I don't agree with that, but I can change as you wish if that is the > > requirement of reviewing. > > Mixing JS and PHP makes code ugly. > I think you can write as following in this case. > > req.open("GET", '?auth=1', false); (In reply to Fujii Hironori from comment #4) > (In reply to Basuke Suzuki from comment #3) > > > I can't understand what does this test case do. > > > Why don't you check whether Authorization header is sent? > > > > The browser behaves differently whether authorization exists or not. > > I don't understand this. > Authorization is a request header sent by clients (browsers). My bad. "authenticate" header. And it seems test file was missing with actual check. It was there and gone. I don't know why, but I'm fixing this. > > > > > LayoutTests/http/tests/xmlhttprequest/unauthorized-without-authenticate-header.php:21 > > > > + req.open("GET", "<?php echo basename(__FILE__) . '?auth=1'; ?>", false); > > > > > > I prefer using JS API to get current URL instead of PHP. > > > window.location.href > > > > I don't agree with that, but I can change as you wish if that is the > > requirement of reviewing. > > Mixing JS and PHP makes code ugly. > I think you can write as following in this case. > > req.open("GET", '?auth=1', false); Okay.
Alex Christensen
Comment 6 2018-09-06 11:26:32 PDT
Comment on attachment 348350 [details] PATCH View in context: https://bugs.webkit.org/attachment.cgi?id=348350&action=review >>> LayoutTests/http/tests/xmlhttprequest/unauthorized-without-authenticate-header.php:21 >>> + req.open("GET", "<?php echo basename(__FILE__) . '?auth=1'; ?>", false); >> >> I prefer using JS API to get current URL instead of PHP. >> window.location.href > > I don't agree with that, but I can change as you wish if that is the requirement of reviewing. I agree with Fujii, and please don't use synchronous xmlhttprequest unless you're explicitly testing synchronous behavior, which you're not.
Basuke Suzuki
Comment 7 2018-09-06 12:30:40 PDT
Created attachment 349053 [details] PATCH Stop using sync test. Separate sub resources. Add more detail for this test purpose.
Fujii Hironori
Comment 8 2018-09-06 20:55:25 PDT
Comment on attachment 349053 [details] PATCH View in context: https://bugs.webkit.org/attachment.cgi?id=349053&action=review > LayoutTests/http/tests/xmlhttprequest/unauthorized-without-authenticate-header.html:11 > + shouldBe("xhr.status", "401"); Do you expect this check fail unless this patch is applied? I confirmed this says "PASS xhr.status is 401" even without applying this change.
Basuke Suzuki
Comment 9 2018-09-07 15:08:14 PDT
Comment on attachment 349053 [details] PATCH View in context: https://bugs.webkit.org/attachment.cgi?id=349053&action=review >> LayoutTests/http/tests/xmlhttprequest/unauthorized-without-authenticate-header.html:11 >> + shouldBe("xhr.status", "401"); > > Do you expect this check fail unless this patch is applied? > I confirmed this says "PASS xhr.status is 401" even without applying this change. That's okay. The server script returns 401, so the result is expected. What I want to check here is that the response is 401 and no authentication challenge should be invoked. Latter is checked by the absence of 'http://127.0.0.1:8000/xmlhttprequest/resources/no-authenticate-header-401.php - didReceiveAuthenticationChallenge - Simulating cancelled authentication sheet' debug message. .
Basuke Suzuki
Comment 10 2018-09-07 15:23:53 PDT
Created attachment 349204 [details] Fix tests to be run after onload.
WebKit Commit Bot
Comment 11 2018-09-07 17:32:20 PDT
Comment on attachment 349204 [details] Fix tests to be run after onload. Clearing flags on attachment: 349204 Committed r235821: <https://trac.webkit.org/changeset/235821>
WebKit Commit Bot
Comment 12 2018-09-07 17:32:22 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 13 2018-09-07 17:33:42 PDT
<rdar://problem/44245852>
Note You need to log in before you can comment on or make changes to this bug.