[Webkit-unassigned] [Bug 45943] CORS: Cross-domain PROPFIND XHR request for servers with authentication does not work in Safari.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Sep 20 10:55:54 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=45943
--- Comment #3 from Alexey Proskuryakov <ap at webkit.org> 2010-09-20 10:55:54 PST ---
This doesn't depend on the method. Here is what XMLHttpRequest 2 draft spec says:
-------------
If authentication fails, XMLHttpRequest origin and the request URL are same origin, Authorization is not in the list of author request headers, request username is null, and request password is null, user agents should prompt the end user for their username and password.
Otherwise, if authentication fails, user agents must not prompt the end user for their username and password.
-------------
Note that for requests that are not same origin, we must not prompt the user.
> Does this mean that before sending PROPFIND to server with Basic auth we have to send GET request somehow (for example include a hidden iframe on a page)?
This may work, but it really shouldn't - it makes no sense to display an authorization dialog for a site other than the one the user has navigated to. If this works, perhaps we should prevent it in the future.
A much better UI would be to let the user know what they doing by prominently displaying the other site's UI for authentication.
> By the way cross-origin XHR request for PROPFIND works in Firefox with Digest auth.
If Firefox asks for credentials when making cross origin XMLHttpRequests, then it's a Firefox bug.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list