[Webkit-unassigned] [Bug 32916] XMLHttpRequest with failed authentication should not show login prompt if credentials are provided

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue May 13 17:05:20 PDT 2014


kevin.gay at software.dell.com changed:

           What    |Removed                     |Added
                 CC|                            |kevin.gay at software.dell.com

--- Comment #7 from kevin.gay at software.dell.com  2014-05-13 17:05:41 PST ---
This issue needs to be addressed.  This is improper behavior according to the W3C spec.  On the following page:


you can find these three paragraphs:

"If the user agent supports HTTP Authentication and Authorization is not in the list of author request headers, it should consider requests originating from the XMLHttpRequest object to be part of the protection space that includes the accessed URIs and send Authorization headers and handle 401 Unauthorized requests appropriately.

If authentication fails, source origin and the request URL are same origin, Authorization is not in the list of author request headers, request URL's username is the empty string and request URL's password is null, user agents should prompt the end user for their username and password.

Otherwise, if authentication fails, user agents must not prompt the end user for their username and password."

The latest version of Safari (5.1.7) on Windows does not do this.  The browser always prompts for a username and password.  No other browser, IE 9, 10, 11, Firefox, Chrome, nor Opera does this.  They all obey the specification and behave similarly.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list