Closed Bug 1379020 Opened 8 years ago Closed 8 years ago

XMLHttpRequest unable to force re-authentication

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Version:
54 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: casey.franek, Unassigned, NeedInfo)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0 Build ID: 20170628075643 Steps to reproduce: I want to force users to re-authenticate when they perform specific actions. My environment is an IIS website using Windows authentication. While logged into a website, run javascript code such as: var xhr = new XMLHttpRequest(); xhr.open('GET', '/MyPage.asp', false, userName, password); xhr.send(); if (xhr.status == 200) { (successfully authenticated, so continue with sensitive action) } Actual results: In the above situation, the re-authentication succeeded. When using fiddler to capture traffic: 1st request does not have an authorization token and returns a 401 error 2nd request has an authorization token, but returns a 401 error 3rd request has a different authorization token, and returns a 200 regardless of if the password provided was correct or not Expected results: When explicitly defining username and password credentials I would expect the xhr.send() command to only use those parameters, and not find others to replace them with.
Component: Untriaged → DOM
Product: Firefox → Core
Sorry to inundate you with xhr-related questions, baku, but do you know what should be happening here?
Flags: needinfo?(amarchesini)
jduell, this is a necko issue, I suspect. From a DOM point of view, XHR creates a URL using the credentials passed as arguments in the Open(): https://dxr.mozilla.org/mozilla-central/source/dom/xhr/XMLHttpRequestMainThread.cpp#1587-1588,1604-1616,1637 Then, this URL is used to create a nsIChannel: https://dxr.mozilla.org/mozilla-central/source/dom/xhr/XMLHttpRequestMainThread.cpp#2531-2550 Nothing more than this, all the rest of the magic happens in necko.
Flags: needinfo?(amarchesini) → needinfo?(jduell.mcbugs)
We could use a concrete test case here. Casey, is there any chance you can give us a web page that points at your server and shows the behavior you mention in comment 0?
Flags: needinfo?(jduell.mcbugs) → needinfo?(casey.franek)
Flags: needinfo?(jduell.mcbugs)
Component: DOM → Networking: HTTP
I have gotten approval to provide an external website for you to test and validate against. I will be working with my IT department to make this available asap.
Flags: needinfo?(casey.franek)
(In reply to casey.franek from comment #4) > I have gotten approval to provide an external website for you to test and > validate against. I will be working with my IT department to make this > available asap. I'd like to keep the ni until the test case is available. This is just for tracking this bug easily. Thanks.
Flags: needinfo?(casey.franek)
No ni? activity in 3 weeks, marking incomplete. Please re-open if new information comes.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
Flags: needinfo?(jduell.mcbugs)
You need to log in before you can comment on or make changes to this bug.