[Webkit-unassigned] [Bug 40138] Authorization header is sent from a Basic Auth protected site on 302 redirect but only with Safari 4.0.5 and OSX 10.5.8

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jun 3 14:03:02 PDT 2010


--- Comment #1 from Tosh <tosh+bugzilla at 1200group.com>  2010-06-03 14:03:02 PST ---
ARG!!  Hit ENTER at the wrong time...

If I am on a Basic Auth protected website and click a link to download a file which sends the browser a 302 redirect to a new site hosting the file to be downloaded, then the Authorization header is sent to the new site, like this:


Returns a 302 redirect to:


The above URL will be sent the Authorization header from the original site.

Normally this is probably not a problem, but some web services these days accept either the option of Authorization headers or URL tokens to access their resources, and when BOTH are sent this causes errors.

I would expect Authorization headers to be sent ONLY to sites the browser knows are requesting them.

I hope this was a coherent bug report.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list