[Webkit-unassigned] [Bug 37781] [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Apr 24 17:09:03 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=37781
Julien Chaffraix <jchaffraix at webkit.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #2 from Julien Chaffraix <jchaffraix at webkit.org> 2010-04-24 17:09:03 PST ---
> Do you have a test case?
It took me quite so time to retrieve it but I have it now (I thought it was
trivial enough to avoid writing one and I was wrong). I need to clean it up
before posting it.
> On Mac OS X, credentials are stripped from URLs before
> a connection is created:
>
> // Take user/pass out of the URL.
> // Credentials for ftp can only be passed in URL, the
> connection:didReceiveAuthenticationChallenge: delegate call won't be made.
> if ((delegate->m_user || delegate->m_pass) && url.protocolInHTTPFamily()) {
> ResourceRequest requestWithoutCredentials = request;
> requestWithoutCredentials.removeCredentials();
> connection = [[NSURLConnection alloc]
> initWithRequest:requestWithoutCredentials.nsURLRequest() delegate:delegate
> startImmediately:NO];
You are partly right. Currently the credentials are stripped at 3 levels:
- the DocumentThreadableLoader code for cross-origin requests
- the ResourceHandleInternal
- the network level (it depends on the platform)
I may have missed some call sites as our credential management is far from
being straightforward.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list