[webkit-reviews] review denied: [Bug 189198] [Curl][WebKitLegacy] Stop sending credential embedded in the url via XHR. : [Attachment 348834] PATCH

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Sep 6 11:26:47 PDT 2018 

Alexey Proskuryakov <ap at webkit.org> has denied Basuke Suzuki
<Basuke.Suzuki at sony.com>'s request for review:
Bug 189198: [Curl][WebKitLegacy] Stop sending credential embedded in the url
via XHR.
https://bugs.webkit.org/show_bug.cgi?id=189198

Attachment 348834: PATCH

https://bugs.webkit.org/attachment.cgi?id=348834&action=review




--- Comment #9 from Alexey Proskuryakov <ap at webkit.org> ---
Comment on attachment 348834
  --> https://bugs.webkit.org/attachment.cgi?id=348834
PATCH

View in context: https://bugs.webkit.org/attachment.cgi?id=348834&action=review

> LayoutTests/ChangeLog:9
> +	   * http/tests/resources/basic-auth/authenticate.php: Added.
> +	   * http/tests/resources/basic-auth/authorize.php: Added.

This adds a new directory for the test, which is the right thing to do because
we want to avoid the engine preemptively sending credentials used by other
tests that could share a directory otherwise.

But the name and location of the new directory are generic, and invites future
additions. I think that it should be named by the test
(http/tests/xmlhttprequest/resources/url-with-credentials/).

> LayoutTests/http/tests/resources/basic-auth/authorize.php:5
> +    header('WWW-Authenticate: Basic realm="Curl Only"');

Why "Curl only"?

> LayoutTests/http/tests/xmlhttprequest/url-with-credentials.html:7
> +    /*
> +	* If the request contains credentials in its url, it should be stripped
from it.
> +	* Also first attempt shouldn't contain basic auth header
> +	*/

Here as well, I don't see why we would want to hide the explanation from test
output.

Also, "it should be stripped" -> "they should be stripped".

> LayoutTests/http/tests/xmlhttprequest/url-with-credentials.html:23
> +    /* First trial must be access without credentials. */
> +    req.open('GET', '/resources/basic-auth/authenticate.php', false, 'foo',
'bar');
> +    req.send(null);
> +    document.writeln(req.responseText);
> +
> +    /* Send auth info after getting authorization header. */
> +    req.open('GET', '/resources/basic-auth/authorize.php', false, 'foo',
'bar');
> +    req.send(null);
> +    document.writeln(req.responseText);

This doesn't test what the comment claims, as there aren't any credentials in
the URL here.

More information about the webkit-reviews mailing list