Open Bug 1726152 Opened 3 years ago Updated 3 years ago

H2 server push requires new authentication on every page load/refresh

Categories

(Core :: Networking: HTTP, defect, P3)

Product:
Core
Component:
Networking: HTTP
Version:
Firefox 91
Type:
defect

Tracking

()

Status:
UNCONFIRMED
Project Flags:
Webcompat Priority P3

People

(Reporter: patrik.juvonen, Unassigned)

References

Details

(Whiteboard: [necko-triaged])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36

Steps to reproduce:

  1. Visit a website with http basic auth enabled globally with the same user/pass
  2. Enter user/pass
  3. You are still being prompted user/pass for all server push resources in the same domain
  4. Reload the page, you are being prompted user/pass for server push resources again

Actual results:

HTTP/2 server push requires new authentication on every page load/refresh, instead of reusing credentials passed on initial load. Chrome and Safari seem to remember credentials to some extent although Chrome seems to do this more consistently.

Additionally, credentials passed on page load on the document itself are not passed onto server push resources in the same domain. Chrome seems to do this, so you only have to enter credentials once, then they get shared automatically to server push resources, and if credentials don't work, you are prompted user/pass for those resources separately. Firefox's current behavior is sort of logical, as the resources are being pushed simultaneously, but can this be improved say the same way as Chrome handles this?

URL: https://test-auth-http2-server-push.em87.io
Basic auth username / password: test / test
Pushed file: /style.css
Server: nginx/1.18.0 (Ubuntu)

Browser / Version: Firefox 91.0 (20210804193234)
Operating System: Mac OS X 10.15.7 (arm64)
Tested Another Browser: Yes. Chrome 92.0.4515.159 (Official Build) (arm64) and Safari 14.1.2 (16611.3.10.1.3) (arm64).

Expected results:

  1. Visit a website with http basic auth enabled globally with the same user/pass
  2. Enter user/pass
  3. Page loads with all the server push resources
  4. Reload the page and your previous user/pass is reused for the requests

The Bugbug bot thinks this bug should belong to the 'Core::Networking' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Networking
Product: Firefox → Core

Report confirmed on webcompat/web-bugs at https://github.com/webcompat/web-bugs/issues/83760#issue-972589962

Patrick,

Do you know about any websites where this issue is happening now and makes it difficult for users to use the site?

Webcompat Priority: --- → P3
Flags: needinfo?(patrik.juvonen)

(In reply to Karl Dubost💡 :karlcow from comment #3)

Patrick,

Do you know about any websites where this issue is happening now and makes it difficult for users to use the site?

Hi Karl,

This issue came up on an internal staging server for our customer's web shop which our customer uses, as well as our personal development environments.

We decided to remove the http2 pushes from our staging servers for the time being. With that in mind I believe this issue isn't critical, as a password protected page is likely to be an internal page for most sites and is then hard to come by. Nevertheless I still believe it is a defect and affects user experience negatively, so this behavior should be improved.

Flags: needinfo?(patrik.juvonen)

This seems like a small quality-of-life improvement that would benefit a small fraction of users.

Severity: -- → S3
Component: Networking → Networking: HTTP
Priority: -- → P3
Whiteboard: [necko-triaged]
You need to log in before you can comment on or make changes to this bug.