Bug 41531 - Asynchronous cross origin XMLHttpRequest doesn't expose 401 response when withCredentials is false
Summary: Asynchronous cross origin XMLHttpRequest doesn't expose 401 response when wit...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: XML (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Alexey Proskuryakov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-07-02 12:33 PDT by Stuart Ng
Modified: 2010-08-09 07:41 PDT (History)
3 users (show)

See Also:

Attachments
Packet Trace of this transaction (1.71 KB, application/octet-stream)
2010-07-02 12:33 PDT, Stuart Ng 		no flags Details
Test Page on Client Side. (2.17 KB, text/html)
2010-07-02 12:34 PDT, Stuart Ng 		no flags Details
proposed fix (9.61 KB, patch)
2010-07-19 15:21 PDT, Alexey Proskuryakov 		beidson: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stuart Ng 2010-07-02 12:33:21 PDT 
Created attachment 60387 [details]
Packet Trace of this transaction

- Test Scenario:

- Try to do HTTP GET to a secure webpage
- Server sends back 401
- Since withCredentials is false, no credentials are sent back.

- I would expect a 401 error to be the final result, (I.e. failed to log in)
- Instead, a get a Network Error 101 and xhr.status = 0.

- This only happens on Safari. ON Chrome I am getting status 401 as expected.
Comment 1 Stuart Ng 2010-07-02 12:34:29 PDT 
Created attachment 60389 [details]
Test Page on Client Side.
Comment 2 Alexey Proskuryakov 2010-07-09 16:43:13 PDT 
I'm seeing the same behavior in Firefox. But Firefox also doesn't let the sync request response through. Does that match your results?

The code that implements this behavior is in DocumentThreadableLoader::didReceiveAuthenticationChallenge().
Comment 3 Alexey Proskuryakov 2010-07-19 15:21:40 PDT 
Created attachment 61999 [details]
proposed fix
Comment 4 WebKit Review Bot 2010-07-19 16:09:44 PDT 
Attachment 61999 [details] did not build on chromium:
Build output: http://queues.webkit.org/results/3564261
Comment 5 Brady Eidson 2010-07-20 12:21:28 PDT 
Comment on attachment 61999 [details]
proposed fix

> Index: WebCore/ChangeLog
> ===================================================================
> +
> +        * loader/DocumentThreadableLoader.cpp:
> +        (WebCore::DocumentThreadableLoader::didReceiveAuthenticationChallenge): Instead of canceling
> +        the request, continue withotu credentials - if the platform has a necessary method on
> +        ResourceHandle.

typo "withotu"

> +
> +        * loader/SubresourceLoader.cpp:
> +        (WebCore::SubresourceLoader::didReceiveAuthenticationChallenge): Don't ask resource laoder
> +        client for credentials if subresource laoder client already resolved those.

typo "laoder"

Otherwise seems fine!
Comment 6 Alexey Proskuryakov 2010-07-20 12:49:07 PDT 
Committed <http://trac.webkit.org/changeset/63766>.
Comment 7 Darin Adler 2010-07-20 16:24:18 PDT 
Comment on attachment 61999 [details]
proposed fix

> +#if PLATFORM(MAC) || USE(CFNETWORK) || USE(CURL)
> +        loader->handle()->receivedRequestToContinueWithoutCredential(challenge);

Seems to me that this should be an #if that's tied to the implementation more directly -- in the ResourceHandle.h header. It seems strange to have the list of platforms here inside a file using the class rather than where the function is defined.
Comment 8 Alexey Proskuryakov 2010-08-09 07:41:18 PDT 
https://bugzilla.mozilla.org/show_bug.cgi?id=580353