[webkit-reviews] review granted: [Bug 40138] Authorization header is sent from an HTTP Auth protected site on redirect : [Attachment 76595] Patch v1
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Dec 14 17:28:02 PST 2010
Alexey Proskuryakov <ap at webkit.org> has granted Brady Eidson
<beidson at apple.com>'s request for review:
Bug 40138: Authorization header is sent from an HTTP Auth protected site on
redirect
https://bugs.webkit.org/show_bug.cgi?id=40138
Attachment 76595: Patch v1
https://bugs.webkit.org/attachment.cgi?id=76595&action=review
------- Additional Comments from Alexey Proskuryakov <ap at webkit.org>
View in context: https://bugs.webkit.org/attachment.cgi?id=76595&action=review
> WebCore/platform/network/cf/ResourceHandleCFNet.cpp:485
> + if (!protocolHostAndPortAreEqual(request.url(), redirectResponse.url()))
> + request.clearHTTPAuthorization();
So, we're preserving the authorization header in more cases than Firefox? This
doesn't seem great, although I can't imagine a practical situation where this
would be a problem.
> LayoutTests/http/tests/loading/authentication-sent-to-redirect-expected.txt:8
> +frame "<!--framePath //<!--frame0-->-->" -
didReceiveServerRedirectForProvisionalLoadForFrame
> +frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
Does this test need to dump these? All this logging is good for is making tests
flaky.
More information about the webkit-reviews
mailing list