[Webkit-unassigned] [Bug 239318] New: Basic authentication specified in auth popup on a website overrides subsequent API calls that requires Authorization header

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=239318

            Bug ID: 239318
           Summary: Basic authentication specified in auth popup on a
                    website overrides subsequent API calls that requires
                    Authorization header
           Product: WebKit
           Version: Safari 15
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: nikolay.latyshev at ewave.com

Steps to reproduce:
1. Make www.example.com protected by basic auth ("WWW-Authenticate: Basic" response header).
2. Navigate to www.example.com and enter correct credentials, e.g. admin:password.
2. Create a request to www.example.com/api/login with "Authorization: Basic" header (customer:password).

Actual result: "Authorization: Basic admin:password" header is sent to www.example.com/api/login.

Expected result: "Authorization: Basic customer:password" header is sent to www.example.com/api/login.


Use case: a website allows customer logins via sending credentials by auth header. Any non-production environment of a website protected by basic auth.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220414/b131882c/attachment.htm>