Bug 8342 - Synchronous XMLHttpRequest should ask for authentication credentials when necessary
: Synchronous XMLHttpRequest should ask for authentication credentials when nec...
Status: NEW
: WebKit
XML
: 417.x
: Macintosh Mac OS X 10.4
: P2 Normal
Assigned To:
: http://www.mnot.net/javascript/xmlhtt...
: HasReduction, InRadar, ReviewedForRadar
:
: 10489
  Show dependency treegraph
 
Reported: 2006-04-12 13:26 PST by
Modified: 2010-08-23 13:30 PST (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2006-04-12 13:26:15 PST
Using XmlHttpRequest, if you access a HTTP authenticated resource (e.g., with Basic auth), and the credentials aren't already in the browser, WebKit will pop up an authentication dialog *if* the XmlHttpRequest is made asynchronously. However, it will not pop up a dialog if the XmlHttpRequest send is made synchronously; instead, it will return a -1012 status code.

This is inconsistent with other browsers, as well as being plain weird.

See http://www.mnot.net/javascript/xmlhttprequest/ ("Does unhandled authentication pop up a dialog?") for test code.
------- Comment #1 From 2007-03-14 13:58:16 PST -------
I'm running 6 tests: {async, sync} x {correct name/pw, omit name/pw args, incorrect name/pw} and I get these results in IE6, Fx, and Safari nightly:

         Sync Correct   Sync Blank   Sync Incorrect   Async Correct   Async Blank   Async Incorrect   
IE6          no                  yes                   no                  no                    yes                  no
Fx2          no                  yes                  yes                 no                    yes                  yes
Saf           no                  no                   no                  no                    yes                  yes

Also testing with pre-authentication from http://www.mnot.net/javascript/xmlhttprequest/ I get:

         Sync Pre-auth   Async Pre-auth
IE6          no                   no
Fx2          no                  no
Saf          no                   no

It would be nice if all browsers had an API for disabling the authentication dialog. Automated tests of XMLHttpRequest authentication are very difficult otherwise.
------- Comment #2 From 2009-04-09 10:28:22 PST -------
*** Bug 25076 has been marked as a duplicate of this bug. ***
------- Comment #3 From 2009-10-29 05:31:49 PST -------
<rdar://problem/7347794>
------- Comment #4 From 2010-04-23 11:09:15 PST -------
*** Bug 37992 has been marked as a duplicate of this bug. ***
------- Comment #5 From 2010-05-03 11:45:35 PST -------
Did a bit of trolling to see if I could find any simple issue to resolve with this.  Ran into this:

in file WebCore/platform/network/mac/ResourceHandleMac.mm,
in class WebCoreSynchronousLoader,
in method connection:didReceiveAuthenticationChallenge:
at the bottom of the method:

    // FIXME: The user should be asked for credentials, as in async case.
    [[challenge sender] continueWithoutCredentialForAuthenticationChallenge:challenge];

Given the context, this looks like the right place to add the prompter.
------- Comment #6 From 2010-05-03 12:26:13 PST -------
The challenging part would be to ensure that JavaScript is fully suspended while the authentication sheet is displayed. Currently, we achieve that by running the loader with a custom run loop mode.

An auth sheet will allow user gestures, so the user could e.g. resize the window in the middle of JS execution, and of course there are all kinds of timers and other networking requests to suspend.