WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
40138
Authorization header is sent from an HTTP Auth protected site on redirect
https://bugs.webkit.org/show_bug.cgi?id=40138
Summary
Authorization header is sent from an HTTP Auth protected site on redirect
Tosh
Reported
2010-06-03 13:57:37 PDT
If I am on a Basic Auth protected website and click a link to download a file which sends the browser a 302 redirect to a new site hosting
Attachments
Screen shot of Webkit Nightly Build after 302 redirection from Basic Auth page to no AUTH page
(339.29 KB, image/png)
2010-07-22 15:27 PDT
,
Tosh
no flags
Details
Patch v1
(10.89 KB, patch)
2010-12-14 16:59 PST
,
Brady Eidson
ap
: review+
beidson
: commit-queue-
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
Tosh
Comment 1
2010-06-03 14:03:02 PDT
ARG!! Hit ENTER at the wrong time... If I am on a Basic Auth protected website and click a link to download a file which sends the browser a 302 redirect to a new site hosting the file to be downloaded, then the Authorization header is sent to the new site, like this: mysite.com/protected/download?fileID=123 Returns a 302 redirect to: newSite.com/notProtected/download?fileID=123 The above URL will be sent the Authorization header from the original site. Normally this is probably not a problem, but some web services these days accept either the option of Authorization headers or URL tokens to access their resources, and when BOTH are sent this causes errors. I would expect Authorization headers to be sent ONLY to sites the browser knows are requesting them. I hope this was a coherent bug report.
Alexey Proskuryakov
Comment 2
2010-06-03 19:45:24 PDT
Are you seeing this with nightly builds from <
http://nightly.webkit.org
>?
Tosh
Comment 3
2010-06-04 07:05:00 PDT
(In reply to
comment #2
)
> Are you seeing this with nightly builds from <
http://nightly.webkit.org
>?
I can't even be certain it's a webKit bug as it only happens with Safari 4.0.5 on OSX 10.5+ and 10.6+. On 10.4+ the above behaviour is not exhibited. I've also reported the same bug to Apple in case that matters.
Alexey Proskuryakov
Comment 4
2010-06-04 10:47:21 PDT
Can you please test this with a nightly build? Since there is no test case or example site for me to easily reproduce the problem, I'd like to know the results of your testing. Nightly builds don't permanently replace anything in your OS or Safari installation, so there is no danger in testing them.
Tosh
Comment 5
2010-07-22 15:27:09 PDT
Created
attachment 62349
[details]
Screen shot of Webkit Nightly Build after 302 redirection from Basic Auth page to no AUTH page Screen shot of Webkit Nightly Build after 302 redirection from Basic Auth page to no AUTH page. You should note: Referer:
http://www.filistics.com/tosh/files.pl?projectID=30
The above URL is Basic AUTH protected. It sets a 302 redirect to a resource on S3, with the AUTH info contained in the URL. But you will also see in the headers: Authorization:Basic dG9zaDp0b3No S3 doesn't like having TWO AUTH possibilities since both methods could be valid, so it throws an error. It seems WebKit it passing along the Basic Auth status when it shouldn't be.
Tosh
Comment 6
2010-07-22 15:28:53 PDT
Damn that's kinda incoherent, let me know what I need to clarify, sorry. Tosh
Alexey Proskuryakov
Comment 7
2010-07-22 16:23:59 PDT
<
rdar://problem/8225016
>
Brady Eidson
Comment 8
2010-12-14 16:53:43 PST
Firefox seems to automatically send credentials if the redirect is to a page in the same security origin, but strips them if the page is not. We should probably match.
Brady Eidson
Comment 9
2010-12-14 16:59:05 PST
Created
attachment 76595
[details]
Patch v1
Alexey Proskuryakov
Comment 10
2010-12-14 17:28:02 PST
Comment on
attachment 76595
[details]
Patch v1 View in context:
https://bugs.webkit.org/attachment.cgi?id=76595&action=review
> WebCore/platform/network/cf/ResourceHandleCFNet.cpp:485 > + if (!protocolHostAndPortAreEqual(request.url(), redirectResponse.url())) > + request.clearHTTPAuthorization();
So, we're preserving the authorization header in more cases than Firefox? This doesn't seem great, although I can't imagine a practical situation where this would be a problem.
> LayoutTests/http/tests/loading/authentication-sent-to-redirect-expected.txt:8 > +frame "<!--framePath //<!--frame0-->-->" - didReceiveServerRedirectForProvisionalLoadForFrame > +frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
Does this test need to dump these? All this logging is good for is making tests flaky.
Brady Eidson
Comment 11
2010-12-14 17:32:36 PST
(In reply to
comment #10
)
> (From update of
attachment 76595
[details]
) > View in context:
https://bugs.webkit.org/attachment.cgi?id=76595&action=review
> > > WebCore/platform/network/cf/ResourceHandleCFNet.cpp:485 > > + if (!protocolHostAndPortAreEqual(request.url(), redirectResponse.url())) > > + request.clearHTTPAuthorization(); > > So, we're preserving the authorization header in more cases than Firefox? This doesn't seem great, although I can't imagine a practical situation where this would be a problem.
I *think* we're matching Firefox. See my comment earlier: "Firefox seems to automatically send credentials if the redirect is to a page in the same security origin, but strips them if the page is not." This code matches that by stripping the auth headers only when the security origin of the two involved URLs differ.
> > > LayoutTests/http/tests/loading/authentication-sent-to-redirect-expected.txt:8 > > +frame "<!--framePath //<!--frame0-->-->" - didReceiveServerRedirectForProvisionalLoadForFrame > > +frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame > > Does this test need to dump these? All this logging is good for is making tests flaky.
It gets these simply by being an http/loading test. You're right, they're not needed (though I don't forsee flakiness in this case), so I'll move them to a different directory. Thanks for the review!
Brady Eidson
Comment 12
2010-12-14 17:50:48 PST
http://trac.webkit.org/changeset/74084
WebKit Review Bot
Comment 13
2010-12-14 18:18:36 PST
http://trac.webkit.org/changeset/74084
might have broken Qt Linux Release The following tests are not passing: http/tests/misc/authentication-sent-to-redirect.html
Brady Eidson
Comment 14
2010-12-15 09:01:43 PST
(In reply to
comment #13
)
>
http://trac.webkit.org/changeset/74084
might have broken Qt Linux Release > The following tests are not passing: > http/tests/misc/authentication-sent-to-redirect.html
I don't see this failure on their bot anymore, but their bot isn't in great shape ATM. It's quite possible Qt's networking had the same bug the Mac and Windows ports had, and they probably should fix it in the same manner.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug