[Webkit-unassigned] [Bug 15441] New: (Windows) Ignoring basic auth credentials in URL

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Oct 9 14:28:19 PDT 2007 

http://bugs.webkit.org/show_bug.cgi?id=15441

           Summary: (Windows) Ignoring basic auth credentials in URL
           Product: WebKit
           Version: 522+ (nightly)
          Platform: PC
               URL: http://joeuser:a.b.C.D@www.rahul.net/joeuser/
        OS/Version: Windows XP
            Status: UNCONFIRMED
          Severity: Blocker
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: dan at fabulich.com


Go to an URL that uses HTTP basic authentication. rahul.net has an example page
at http://joeuser:a.b.C.D@www.rahul.net/joeuser/

In Safari/Windows, the credentials in the URL are ignored, and the user is
prompted to enter login/password by hand.

On Firefox and Safari/Mac, the URL resolves directly; on Opera, you get a
warning that "You are about to go to an address containing a username."

(You'll see a similar warning on Firefox when the password is very long, e.g.
longer than 255 characters.  "You are about to log into the site
'www.rahul.net' with the username 'joeuser'."  This can be configured in
Firefox's about:config panel by setting "network.http.phishy-userpass-length".)

In IE7, you get a pop-up saying "Windows cannot find
'http://joeuser:a.b.C.D@www.rahul.net/joeuser/'. Check the spelling and try
again."  However, the page resolves correctly if you set the registry key
FEATURE_HTTP_USERNAME_PASSWORD_DISABLE to "iexplore.exe"; more information is
available here: http://support.microsoft.com/kb/834489

As the MS KB article explains, this is happening because Microsoft decided that
including basic authentication credentials in URLs is a fundamentally bad idea
(because it makes it too easy to create phishy URLs).

The KB article explains that users of WinInet (e.g. WebKit) can pass special
options to their HINTERNET handles to allow basic auth URLs to work.  (For
example, InternetSetOption can set INTERNET_OPTION_USERNAME and
INTERNET_OPTION_PASSWORD.)

We need to use URL-based basic authentication credentials in Selenium, the web
automation framework.

IMO, Safari/Windows should behave exactly the same way as Safari/Mac, and so
the InternetSetOption line should be added to ResourceHandleWin.cpp.  If this
is regarded as too great a security risk, then it should at least be
configurable using preferences.


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list