NEW Bug 8342
Synchronous XMLHttpRequest should ask for authentication credentials when necessary 
https://bugs.webkit.org/show_bug.cgi?id=8342
Summary Synchronous XMLHttpRequest should ask for authentication credentials when nec...
Mark Nottingham
Reported 2006-04-12 13:26:15 PDT
Using XmlHttpRequest, if you access a HTTP authenticated resource (e.g., with Basic auth), and the credentials aren't already in the browser, WebKit will pop up an authentication dialog *if* the XmlHttpRequest is made asynchronously. However, it will not pop up a dialog if the XmlHttpRequest send is made synchronously; instead, it will return a -1012 status code. This is inconsistent with other browsers, as well as being plain weird. See http://www.mnot.net/javascript/xmlhttprequest/ ("Does unhandled authentication pop up a dialog?") for test code.
Attachments
Add attachment proposed patch, testcase, etc.
Jesse Costello-Good
Comment 1 2007-03-14 13:58:16 PDT
I'm running 6 tests: {async, sync} x {correct name/pw, omit name/pw args, incorrect name/pw} and I get these results in IE6, Fx, and Safari nightly: Sync Correct Sync Blank Sync Incorrect Async Correct Async Blank Async Incorrect IE6 no yes no no yes no Fx2 no yes yes no yes yes Saf no no no no yes yes Also testing with pre-authentication from http://www.mnot.net/javascript/xmlhttprequest/ I get: Sync Pre-auth Async Pre-auth IE6 no no Fx2 no no Saf no no It would be nice if all browsers had an API for disabling the authentication dialog. Automated tests of XMLHttpRequest authentication are very difficult otherwise.
Alexey Proskuryakov
Comment 2 2009-04-09 10:28:22 PDT
*** Bug 25076 has been marked as a duplicate of this bug. ***
Mark Rowe (bdash)
Comment 3 2009-10-29 05:31:49 PDT
<rdar://problem/7347794>
Alexey Proskuryakov
Comment 4 2010-04-23 11:09:15 PDT
*** Bug 37992 has been marked as a duplicate of this bug. ***
Patrick Mueller
Comment 5 2010-05-03 11:45:35 PDT
Did a bit of trolling to see if I could find any simple issue to resolve with this. Ran into this: in file WebCore/platform/network/mac/ResourceHandleMac.mm, in class WebCoreSynchronousLoader, in method connection:didReceiveAuthenticationChallenge: at the bottom of the method: // FIXME: The user should be asked for credentials, as in async case. [[challenge sender] continueWithoutCredentialForAuthenticationChallenge:challenge]; Given the context, this looks like the right place to add the prompter.
Alexey Proskuryakov
Comment 6 2010-05-03 12:26:13 PDT
The challenging part would be to ensure that JavaScript is fully suspended while the authentication sheet is displayed. Currently, we achieve that by running the loader with a custom run loop mode. An auth sheet will allow user gestures, so the user could e.g. resize the window in the middle of JS execution, and of course there are all kinds of timers and other networking requests to suspend.
Note You need to log in before you can comment on or make changes to this bug.