NEW239318
Basic authentication specified in auth popup on a website overrides subsequent API calls that requires Authorization header 
https://bugs.webkit.org/show_bug.cgi?id=239318
Summary Basic authentication specified in auth popup on a website overrides subsequen...
Nikolay Latyshev
Reported 2022-04-13 20:02:59 PDT
Steps to reproduce: 1. Make www.example.com protected by basic auth ("WWW-Authenticate: Basic" response header). 2. Navigate to www.example.com and enter correct credentials, e.g. admin:password. 2. Create a request to www.example.com/api/login with "Authorization: Basic" header (customer:password). Actual result: "Authorization: Basic admin:password" header is sent to www.example.com/api/login. Expected result: "Authorization: Basic customer:password" header is sent to www.example.com/api/login. Use case: a website allows customer logins via sending credentials by auth header. Any non-production environment of a website protected by basic auth.
Attachments
Add attachment proposed patch, testcase, etc.
Nikolay Latyshev
Comment 1 2022-04-13 20:09:05 PDT
This is a WebKit-specific bug, works as expected in e.g. Firefox or Chrome.
Alexey Proskuryakov
Comment 2 2022-04-14 18:46:09 PDT
> 2. Create a request to www.example.com/api/login with "Authorization: Basic" header (customer:password). Could you please clarify how this request is created? XMLHttpRequest?
Nikolay Latyshev
Comment 3 2022-04-14 19:51:45 PDT
Sorry, forgot to mention, request, in this case, should be created via Fetch API to relative URL, didn't try other options. fetch('/api/login', { method: 'POST', body: { some: 'body', }, headers: { Authorization: `Basic ${btoa(`${customer}:${password}`)}`, })
Ryan Haddad
Comment 4 2022-04-21 17:09:39 PDT
rdar://92068426
Note You need to log in before you can comment on or make changes to this bug.