Open Bug 1229443 Opened 10 years ago Updated 3 years ago

WebSocket upgrade request doesn't support authorization header for basic auth

Categories

(Core :: Networking: WebSockets, defect, P3)

Product:
Core
Component:
Networking: WebSockets
Version:
42 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: ryan, Unassigned)

Details

(Whiteboard: [necko-backlog])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36 Steps to reproduce: run a local service (eg. http://localhost:5100) - I'm running a nodejs express service locally Open console and create a websocket using basic auth > ws = new WebSocket('ws://username:password@localhost:5100'); Actual results: The WebSocket is successfully created but the upgrade request does not include the `authorization` header. If I want to authenticate WebSocket connections I need to do it through the open channel instead of through the upgrade request itself. Expected results: The upgrade request should include an `authorization` header including the base64 encoded string <username>:<password> as per http://www.w3.org/Protocols/HTTP/1.0/spec.html#Authorization
Component: Untriaged → Networking: WebSockets
Product: Firefox → Core
ws should be treated like a subresource
Whiteboard: [necko-backlog]
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
Hi, More details: * The `authorization` header is defined since websocket-13: https://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-13#page-21): "The request MAY include any other header fields, for example cookies [RFC6265] and/or authentication related header fields such as Authorization header field [RFC2616]." * Now it can be found in the RFC6455: https://tools.ietf.org/html/rfc6455#page-53 "10.5. WebSocket Client Authentication This protocol doesn't prescribe any particular way that servers can authenticate clients during the WebSocket handshake. The WebSocket server can use any client authentication mechanism available to a generic HTTP server, such as cookies, HTTP authentication, or TLS authentication." It clearly states that HTTP authentication can be used. It can be reproduced thanks to http://www.websocket.org/echo.html, change the location to "ws://user:password@echo.websocket.org" then hit 'connect' button. In the header send by FireFox there is no authorization header, ex: "Accept text/html,application/xhtml+xm…plication/xml;q=0.9,*/*;q=0.8 Accept-Encoding gzip, deflate Accept-Language en-US,en;q=0.5 Cache-Control no-cache Connection keep-alive, Upgrade Cookie _ga=GA1.2.1852469617.151488959…9590; __zlcmid=kHh12yorJGHjAh Host echo.websocket.org Origin http://www.websocket.org Pragma no-cache Sec-WebSocket-Extensions permessage-deflate Sec-WebSocket-Key KCKq/XA5/abcHsOcvhfgdw== Sec-WebSocket-Version 13 Upgrade websocket User-Agent Mozilla/5.0 (Windows NT 6.1; W…) Gecko/20100101 Firefox/57.0"

I couldn't reproduce this bug. While the inspector doesn't show the "Authorization" header, presumably in order to avoid leaking credentials, in my testing, it is sent properly.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.