[Webkit-unassigned] [Bug 32916] XMLHttpRequest with failed authentication should not show login prompt if credentials are provided

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jun 7 21:44:16 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=32916


Victor Andrée <victor.andree at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |victor.andree at gmail.com




--- Comment #2 from Victor Andrée <victor.andree at gmail.com>  2010-06-07 21:44:16 PST ---
This bug is still around and is causing me trouble. I'll provide some specifics and a live test case.

Check out https://mail.google.com/mail/feed/atom (I was trying to put together an extension). Depending on how whether you try to auth with an existing account or not, the server will return different headers if you fail to authenticate (identical headers removed):

Non-existing account:

    $ curl -u victor.andreez -v https://mail.google.com/mail/feed/atom
    < HTTP/1.1 401 Unauthorized

Existing account:

    $ curl -u victor.andree -v https://mail.google.com/mail/feed/atom
    < HTTP/1.1 401 Unauthorized
    < WWW-Authenticate: BASIC realm="New mail feed"

If you attempt the same requests with XMLHttpRequest, only the latter will display a login sheet (since there won't be an account to "login" to otherwise, I presume the Google engineers thought). According to the specs, the sheet should never be displayed.

Reproducing with XMLHttpRequest:

    xhr = new XMLHttpRequest();

    // No account    
    xhr.open("GET", "https://mail.google.com/mail/feed/atom", true, "victor.andreez", "hunter2");
    xhr.send();

    // --> Failed to load resource: the server responded with a status of 401 (Unauthorized)

    // Existing account
    xhr.open("GET", "https://mail.google.com/mail/feed/atom", true, "victor.andree", "hunter2");
    xhr.send();

    // --> Failed to load resource: cancelled
    //     + a stinking sheet!

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list