[Webkit-unassigned] [Bug 40138] Authorization header is sent from a Basic Auth protected site on 302 redirect but only with Safari 4.0.5 and OSX 10.5.8
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jul 22 15:27:09 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=40138
--- Comment #5 from Tosh <tosh+bugzilla at 1200group.com> 2010-07-22 15:27:09 PST ---
Created an attachment (id=62349)
--> (https://bugs.webkit.org/attachment.cgi?id=62349)
Screen shot of Webkit Nightly Build after 302 redirection from Basic Auth page to no AUTH page
Screen shot of Webkit Nightly Build after 302 redirection from Basic Auth page to no AUTH page.
You should note:
Referer:http://www.filistics.com/tosh/files.pl?projectID=30
The above URL is Basic AUTH protected. It sets a 302 redirect to a resource on S3, with the AUTH info contained in the URL.
But you will also see in the headers:
Authorization:Basic dG9zaDp0b3No
S3 doesn't like having TWO AUTH possibilities since both methods could be valid, so it throws an error.
It seems WebKit it passing along the Basic Auth status when it shouldn't be.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list