Bug 8342 - Synchronous XMLHttpRequest should ask for authentication credentials when necessary
Summary: Synchronous XMLHttpRequest should ask for authentication credentials when nec...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: XML (show other bugs)
Version: 417.x
Hardware: Macintosh OS X 10.4
: P2 Normal
Assignee: Nobody
URL: http://www.mnot.net/javascript/xmlhtt...
Keywords: HasReduction, InRadar
: 25076 37992 (view as bug list)
Depends on:
Blocks: 10489
  Show dependency treegraph
Reported: 2006-04-12 13:26 PDT by Mark Nottingham
Modified: 2010-08-23 13:30 PDT (History)
9 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Mark Nottingham 2006-04-12 13:26:15 PDT
Using XmlHttpRequest, if you access a HTTP authenticated resource (e.g., with Basic auth), and the credentials aren't already in the browser, WebKit will pop up an authentication dialog *if* the XmlHttpRequest is made asynchronously. However, it will not pop up a dialog if the XmlHttpRequest send is made synchronously; instead, it will return a -1012 status code.

This is inconsistent with other browsers, as well as being plain weird.

See http://www.mnot.net/javascript/xmlhttprequest/ ("Does unhandled authentication pop up a dialog?") for test code.
Comment 1 Jesse Costello-Good 2007-03-14 13:58:16 PDT
I'm running 6 tests: {async, sync} x {correct name/pw, omit name/pw args, incorrect name/pw} and I get these results in IE6, Fx, and Safari nightly:

         Sync Correct   Sync Blank   Sync Incorrect   Async Correct   Async Blank   Async Incorrect   
IE6          no                  yes                   no                  no                    yes                  no
Fx2          no                  yes                  yes                 no                    yes                  yes
Saf           no                  no                   no                  no                    yes                  yes

Also testing with pre-authentication from http://www.mnot.net/javascript/xmlhttprequest/ I get:

         Sync Pre-auth   Async Pre-auth
IE6          no                   no
Fx2          no                  no
Saf          no                   no

It would be nice if all browsers had an API for disabling the authentication dialog. Automated tests of XMLHttpRequest authentication are very difficult otherwise.
Comment 2 Alexey Proskuryakov 2009-04-09 10:28:22 PDT
*** Bug 25076 has been marked as a duplicate of this bug. ***
Comment 3 Mark Rowe (bdash) 2009-10-29 05:31:49 PDT
Comment 4 Alexey Proskuryakov 2010-04-23 11:09:15 PDT
*** Bug 37992 has been marked as a duplicate of this bug. ***
Comment 5 Patrick Mueller 2010-05-03 11:45:35 PDT
Did a bit of trolling to see if I could find any simple issue to resolve with this.  Ran into this:

in file WebCore/platform/network/mac/ResourceHandleMac.mm,
in class WebCoreSynchronousLoader,
in method connection:didReceiveAuthenticationChallenge:
at the bottom of the method:

    // FIXME: The user should be asked for credentials, as in async case.
    [[challenge sender] continueWithoutCredentialForAuthenticationChallenge:challenge];

Given the context, this looks like the right place to add the prompter.
Comment 6 Alexey Proskuryakov 2010-05-03 12:26:13 PDT
The challenging part would be to ensure that JavaScript is fully suspended while the authentication sheet is displayed. Currently, we achieve that by running the loader with a custom run loop mode.

An auth sheet will allow user gestures, so the user could e.g. resize the window in the middle of JS execution, and of course there are all kinds of timers and other networking requests to suspend.