Bug 239318
| Summary: | Basic authentication specified in auth popup on a website overrides subsequent API calls that requires Authorization header | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Nikolay Latyshev <nikolay.latyshev> |
| Component: | Page Loading | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | achristensen, ap, beidson, nikolay.latyshev, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Safari 15 | ||
| Hardware: | All | ||
| OS: | All | ||
Nikolay Latyshev
Steps to reproduce:
1. Make www.example.com protected by basic auth ("WWW-Authenticate: Basic" response header).
2. Navigate to www.example.com and enter correct credentials, e.g. admin:password.
2. Create a request to www.example.com/api/login with "Authorization: Basic" header (customer:password).
Actual result: "Authorization: Basic admin:password" header is sent to www.example.com/api/login.
Expected result: "Authorization: Basic customer:password" header is sent to www.example.com/api/login.
Use case: a website allows customer logins via sending credentials by auth header. Any non-production environment of a website protected by basic auth.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Nikolay Latyshev
This is a WebKit-specific bug, works as expected in e.g. Firefox or Chrome.
Alexey Proskuryakov
> 2. Create a request to www.example.com/api/login with "Authorization: Basic" header (customer:password).
Could you please clarify how this request is created? XMLHttpRequest?
Nikolay Latyshev
Sorry, forgot to mention, request, in this case, should be created via Fetch API to relative URL, didn't try other options.
fetch('/api/login', {
method: 'POST',
body: {
some: 'body',
},
headers: {
Authorization: `Basic ${btoa(`${customer}:${password}`)}`,
})
Ryan Haddad
rdar://92068426