[Webkit-unassigned] [Bug 239944] New: Safari does not persist the Authorization header on redirect

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun May 1 08:29:21 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=239944

            Bug ID: 239944
           Summary: Safari does not persist the Authorization header on
                    redirect
           Product: WebKit
           Version: Safari 15
          Hardware: Mac (Intel)
                OS: macOS 12
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: XML
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: 906529775 at qq.com

Sorry, my English is not good, the following content is generated by translation software.

I describe the problem I have:

In Safari, I send a request via fetch:

/api/user/list?page=1&page_size=10

Because the path is wrong, the status code returned by the server is 301, and a new request path is given:

/api/user/list/?page=1&page_size=10

After Safari receives 301, it automatically sends a new request, but does not bring the Authorization request header.

My expectation is to bring the Authorization request header when redirecting, what should I do? Looking forward to your reply, thanks.

Note: When redirecting, the Chrome browser will take the Authorization request with it.

The full request log is below:

First request(Has Authorization request header):

Request
GET /api/user/list?page=1&page_size=10
Authorization: Bearer xxxxxxxxxxxx
Referer: https://test.com/api/user/list?page=1&page_size=10
Accept: */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
Cache-Control: no-cache
Pragma: no-cache
X-OA-ID: 10004572

------

Response to first request:

Redirect Response
301 Moved Permanently
Location: /api/user/list/?page=1&page_size=10
Date: Sun, 01 May 2022 09:29:24 GMT
Referrer-Policy: same-origin

------

Redirects automatically sent by Safari(No Authorization header):

Request
GET /api/user/list/?page=1&page_size=10 HTTP/1.1
Accept: */*
Pragma: no-cache
Cookie: xxxxxxxxxxxx
Referer: https://test.com/api/user/list
Cache-Control: no-cache
Host: test.com
Accept-Language: en-US,en;q=0.9
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
X-OA-ID: 10004572

------


I found 2 similar questions on stackoverflow, but none were solved.

https://stackoverflow.com/questions/71311305/how-to-prevent-safari-from-dropping-the-authorization-header-when-following-a-sa

https://stackoverflow.com/questions/57974176/safari-does-not-persist-the-authorization-header-on-redirect

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220501/401c3c9c/attachment.htm>

More information about the webkit-unassigned mailing list