Open Bug 1669264 Opened 4 years ago Updated 5 months ago

JS map fetch does not use authentication, causing 401 errors and unreadable JS

Categories

(DevTools :: Debugger, defect, P3)

defect

Tracking

(Not tracked)

People

(Reporter: bugs, Unassigned, NeedInfo)

References

(Blocks 2 open bugs)

Details

What were you doing?

Accessing Apache PLAIN auth restricted test server using a JS web app with JS maps for the minified JS.

  1. Access app. Enter test username/pass
  2. Open firefox debugger.
  3. Note 401 error on attempting to fetch JS map.

What happened?

Source map error: Error: request failed with status 401
Resource URL: https://testserver/demo/build/bundle.js
Source Map URL: bundle.js.map

What should have happened?

Fetch source map using same authentication as all other static resources.

Anything else we should know?

Tested in a clean nightly profile.

Severity: -- → S3
Priority: -- → P3

Oups. Sorry, did search for dupes. Not well enough apparently.

Any progress regarding the bug fixing of this one? Thanks.

Flags: needinfo?(hmanilla)

Hi Yakun,
No progress yet!

Do you have an app we can use to reproduces this easily. That would really help
in looking into this.

Thanks

Flags: needinfo?(hmanilla) → needinfo?(liyakun127)

No app, but given how easy it is to reproduce, I'll try to make you a testcase after work. Basically all I need to reproduce it is to make a folder on my apache server with a .htaccess file for BASIC auth with some trivial set of credentials like test/test.

https://m8y.org/tmp/testcase497.xhtml
Here you go. It was fairly trivial to setup ☺

Here's the contents of .htaccess if you want to replicate it yourself.
testcase497 $ cat .htaccess
AuthUserFile /www/html/tmp/testcase497/.htpasswd
AuthGroupFile /dev/null
AuthName "Enter test/test to access this folder"
AuthType Basic
<Limit GET POST PUT>
require valid-user
</Limit>

Aaaand here's the test files.
testcase497 $ for i in test*;do hr;echo $i;hr;cat $i;done
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
test.js
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
function test() { alert("hello world"); }
//# sourceMappingURL=test.js.map
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
test.js.map
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
{"version":3,"file":"test.js","sources":["test.js"],"sourcesContent":["function test() { alert('hello mapped world'); }"],"mappings":""}

(In reply to Hubert Boma Manilla (:bomsy) from comment #4)

Hi Yakun,
No progress yet!

Do you have an app we can use to reproduces this easily. That would really help
in looking into this.

Thanks

Hello Hubert,

sorry for the delay in replying.
The application I was using is from one Angular app behind a Nginx proxy. However, the example provided by @nemo has demonstrated the issue.

Best
Yakun

Flags: needinfo?(liyakun127) → needinfo?(hmanilla)

Can confirm this,
Still happening in FF v110.0 for *.js.map and .css.map files which are behind a htaccess protection.

You need to log in before you can comment on or make changes to this bug.