[Webkit-unassigned] [Bug 35390] New: behavior with http auth and xmlhttprequest

Thu Feb 25 09:13:43 PST 2010

https://bugs.webkit.org/show_bug.cgi?id=35390

           Summary: behavior with http auth and xmlhttprequest
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Gtk
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: danw at gnome.org

http://www.vsecurity.com/download/tools/fbha-poc_0.1.zip
is a proof of concept of using xmlhttprequest to allow html form-based auth but
using http auth underneath instead of cookies. On Firefox, IE, Safari, and
Chrome, it uses http auth, but does not pop up any browser password dialog
boxes. In Epiphany though, both the login and logout pages pop up a dialog.

(To run the test server, download the zip file, unzip it, and just run the
python script, giving it a port number.)

Haven't looked in detail, but it seems like the difference might be that the
other browsers never prompt for passwords on xmlhttprequest requests? (or at
least, on xmlhttprequest requests that contain password arguments)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.