Closed Bug 1425156 Opened 2 years ago Closed 2 years ago
regression: HTTP Basic Auth dialog won't appear
It's a bad build if you don't get asked for username + password and instantly see the error page. If I directly open https://aerobatic:firstname.lastname@example.org/protected-standard/ I could press OK. But I have a problem if I want to access https://auth-demo.aerobatic.io/protected-standard/ by awesomebar suggestion where I would normally get shown a pre-filled dialog and could just press Enter. mozregression --good 2017-12-10 --bad 2017-12-13 --pref startup.homepage_welcome_url:"https://auth-demo.aerobatic.io/protected-standard/" > 5:01.19 INFO: Last good revision: 0285ac1b3755313f0b899708fe840f59717cb999 > 5:01.19 INFO: First bad revision: 09bf615d77d23dcac7c29f9faf696b94660eb7b7 > 5:01.19 INFO: Pushlog: > https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=0285ac1b3755313f0b899708fe840f59717cb999&tochange=09bf615d77d23dcac7c29f9faf696b94660eb7b7 > c31b663b4dd2 Dragana Damjanovic — Bug 1409449 - Do not show auth-dialog for triggeringPrincipal==SystemPrincipal. r=ckerschb r=valentin r=francois (I'm unable to block bug 1409449. editbugs permissions are not enough^^) Personally I could live with this, but it's confusing. Could you please CC me in bug 1409449? (I wasn't fast enough.) Thank you!
This problem also occurs when pasting https://auth-demo.aerobatic.io/protected-standard/ into the locationbar of a fresh profile and pressing Enter. (Accessing https://anonymizer.info/de/?https://auth-demo.aerobatic.io/protected-standard/ would work to get a dialog, but a very bad advice.) I like using HTTP Basic Auth to protect PowerAdmin/PHPMyAdmin and - what everyone should do - to protect WordPress installers: https://www.golem.de/news/certificate-transparency-hacking-web-applications-before-they-are-installed-1707-129172.html (In general I like the idea to restrict basic auth to manual first-party requests (network.auth.subresource-http-auth-allow;0) in form of https://user:pw@host/.) Even if a security issue would be the reason for this I couldn't imagine that you could ship such a behavior to ESR users. An exception for accessing https://auth-demo.aerobatic.io/protected-standard via bookmark or awesomebar would be useful.
I think I have a bug in my patch... I will fix it.
Assignee: nobody → dd.mozilla
Status: NEW → ASSIGNED
Thanks for reporting it so quickly, the patch just landed.
I forgot to remove my debuging fprintf-s.
(In reply to Dragana Damjanovic [:dragana] from comment #2) > I think I have a bug in my patch... I will fix it. Can you explain what the bug in your code was semantically?
Comment on attachment 8936782 [details] [diff] [review] bug_1425156.patch Review of attachment 8936782 [details] [diff] [review]: ----------------------------------------------------------------- (In reply to Christoph Kerschbaumer [:ckerschb] from comment #7) > (In reply to Dragana Damjanovic [:dragana] from comment #2) > > I think I have a bug in my patch... I will fix it. > > Can you explain what the bug in your code was semantically? Oh, I see, because top-level loads also use the SystemPrincipal as the triggeringPrincipal. I guess that makes sense.
Attachment #8936782 - Flags: review?(ckerschb) → review+
Pushed by email@example.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/e098500c325d Fix bug in the http-auth dialog blocking. r=ckerschb
Verified fixed in Nightly 59 x64 20171215100105 de_DE @ Debian Testing (KDE). Thank you! Now I will be asked for HTTP Basic Auth credentials when: * pasting into the locationbar * opening a bookmark * opening a bookmark in the sidebar * loading it as home page
Status: RESOLVED → VERIFIED
Has Regression Range: --- → yes
Has STR: --- → yes
You need to log in before you can comment on or make changes to this bug.