[Webkit-unassigned] [Bug 40138] Authorization header is sent from a Basic Auth protected site on 302 redirect but only with Safari 4.0.5 and OSX 10.5.8
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jun 3 14:03:02 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=40138
--- Comment #1 from Tosh <tosh+bugzilla at 1200group.com> 2010-06-03 14:03:02 PST ---
ARG!! Hit ENTER at the wrong time...
If I am on a Basic Auth protected website and click a link to download a file which sends the browser a 302 redirect to a new site hosting the file to be downloaded, then the Authorization header is sent to the new site, like this:
mysite.com/protected/download?fileID=123
Returns a 302 redirect to:
newSite.com/notProtected/download?fileID=123
The above URL will be sent the Authorization header from the original site.
Normally this is probably not a problem, but some web services these days accept either the option of Authorization headers or URL tokens to access their resources, and when BOTH are sent this causes errors.
I would expect Authorization headers to be sent ONLY to sites the browser knows are requesting them.
I hope this was a coherent bug report.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list