Steps to reproduce: 1. Make www.example.com protected by basic auth ("WWW-Authenticate: Basic" response header). 2. Navigate to www.example.com and enter correct credentials, e.g. admin:password. 2. Create a request to www.example.com/api/login with "Authorization: Basic" header (customer:password). Actual result: "Authorization: Basic admin:password" header is sent to www.example.com/api/login. Expected result: "Authorization: Basic customer:password" header is sent to www.example.com/api/login. Use case: a website allows customer logins via sending credentials by auth header. Any non-production environment of a website protected by basic auth.
This is a WebKit-specific bug, works as expected in e.g. Firefox or Chrome.
> 2. Create a request to www.example.com/api/login with "Authorization: Basic" header (customer:password). Could you please clarify how this request is created? XMLHttpRequest?
Sorry, forgot to mention, request, in this case, should be created via Fetch API to relative URL, didn't try other options. fetch('/api/login', { method: 'POST', body: { some: 'body', }, headers: { Authorization: `Basic ${btoa(`${customer}:${password}`)}`, })
rdar://92068426