RESOLVED FIXED 41531
Asynchronous cross origin XMLHttpRequest doesn't expose 401 response when withCredentials is false 
https://bugs.webkit.org/show_bug.cgi?id=41531
Summary Asynchronous cross origin XMLHttpRequest doesn't expose 401 response when wit...
Stuart Ng
Reported 2010-07-02 12:33:21 PDT
Created attachment 60387 [details] Packet Trace of this transaction - Test Scenario: - Try to do HTTP GET to a secure webpage - Server sends back 401 - Since withCredentials is false, no credentials are sent back. - I would expect a 401 error to be the final result, (I.e. failed to log in) - Instead, a get a Network Error 101 and xhr.status = 0. - This only happens on Safari. ON Chrome I am getting status 401 as expected.
Attachments
Packet Trace of this transaction (1.71 KB, application/octet-stream)
2010-07-02 12:33 PDT, Stuart Ng 		no flags
Details
Test Page on Client Side. (2.17 KB, text/html)
2010-07-02 12:34 PDT, Stuart Ng 		no flags
Details
proposed fix (9.61 KB, patch)
2010-07-19 15:21 PDT, Alexey Proskuryakov 		beidson: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Stuart Ng
Comment 1 2010-07-02 12:34:29 PDT
Created attachment 60389 [details] Test Page on Client Side.
Alexey Proskuryakov
Comment 2 2010-07-09 16:43:13 PDT
I'm seeing the same behavior in Firefox. But Firefox also doesn't let the sync request response through. Does that match your results? The code that implements this behavior is in DocumentThreadableLoader::didReceiveAuthenticationChallenge().
Alexey Proskuryakov
Comment 3 2010-07-19 15:21:40 PDT
Created attachment 61999 [details] proposed fix
WebKit Review Bot
Comment 4 2010-07-19 16:09:44 PDT
Attachment 61999 [details] did not build on chromium: Build output: http://queues.webkit.org/results/3564261
Brady Eidson
Comment 5 2010-07-20 12:21:28 PDT
Comment on attachment 61999 [details] proposed fix > Index: WebCore/ChangeLog > =================================================================== > + > + * loader/DocumentThreadableLoader.cpp: > + (WebCore::DocumentThreadableLoader::didReceiveAuthenticationChallenge): Instead of canceling > + the request, continue withotu credentials - if the platform has a necessary method on > + ResourceHandle. typo "withotu" > + > + * loader/SubresourceLoader.cpp: > + (WebCore::SubresourceLoader::didReceiveAuthenticationChallenge): Don't ask resource laoder > + client for credentials if subresource laoder client already resolved those. typo "laoder" Otherwise seems fine!
Alexey Proskuryakov
Comment 6 2010-07-20 12:49:07 PDT
Committed <http://trac.webkit.org/changeset/63766>.
Darin Adler
Comment 7 2010-07-20 16:24:18 PDT
Comment on attachment 61999 [details] proposed fix > +#if PLATFORM(MAC) || USE(CFNETWORK) || USE(CURL) > + loader->handle()->receivedRequestToContinueWithoutCredential(challenge); Seems to me that this should be an #if that's tied to the implementation more directly -- in the ResourceHandle.h header. It seems strange to have the list of platforms here inside a file using the class rather than where the function is defined.
Alexey Proskuryakov
Comment 8 2010-08-09 07:41:18 PDT
https://bugzilla.mozilla.org/show_bug.cgi?id=580353
Note You need to log in before you can comment on or make changes to this bug.