[Webkit-unassigned] [Bug 70686] New: WebKit fails to prompt for basic authentication when the realm is an unquoted URL

Sat Oct 22 16:05:36 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=70686

           Summary: WebKit fails to prompt for basic authentication when
                    the realm is an unquoted URL
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
               URL: http://www.ennaranja.com
        OS/Version: Unspecified
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: New Bugs
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: guillermo.jano.bugzilla at gmail.com

When Safari/WebKit finds an HTTP header like the following:

WWW-Authenticate: Basic realm=http://www.ennaranja.com

it fails to parse the realm and thus doesn't prompt for an username/password but directly present the Authorization Required page to the user. I know this header syntax is invalid, as the parameter 'realm' is defined to only use 'quoted-string' syntax, however some other browsers as Internet Explorer or Mozilla Firefox or even the WebKit-based Google Chrome accept this unquoted form and still present the user with the prompt.

I have found a study about how several browsers parse the WWW-Authenticate in different situations [ http://greenbytes.de/tech/tc/httpauth/ ] and this issue is similar to test case 'simplebasictok', which Safari passes, however I guess the non-alphanumeric characters (':', '/') in the URL make the difference in this case.

This issue also affects MobileSafari in iOS 5.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.