Bug 35390 - behavior with http auth and xmlhttprequest
Summary: behavior with http auth and xmlhttprequest
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC OS X 10.5
: P2 Normal
Assignee: Nobody
URL:
Keywords: NeedsReduction
Depends on:
Blocks:
 
Reported: 2010-02-25 09:13 PST by Dan Winship
Modified: 2017-03-11 10:54 PST (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dan Winship 2010-02-25 09:13:43 PST 
http://www.vsecurity.com/download/tools/fbha-poc_0.1.zip
is a proof of concept of using xmlhttprequest to allow html form-based auth but using http auth underneath instead of cookies. On Firefox, IE, Safari, and Chrome, it uses http auth, but does not pop up any browser password dialog boxes. In Epiphany though, both the login and logout pages pop up a dialog.

(To run the test server, download the zip file, unzip it, and just run the python script, giving it a port number.)

Haven't looked in detail, but it seems like the difference might be that the other browsers never prompt for passwords on xmlhttprequest requests? (or at least, on xmlhttprequest requests that contain password arguments)
Comment 1 Alexey Proskuryakov 2010-07-12 15:35:19 PDT 
> (or at least, on xmlhttprequest requests that contain password arguments)

That would be bug 32916.
Comment 2 Alexey Proskuryakov 2010-07-12 15:36:06 PDT 
See also: bug 8291.