Open Bug 1742396 Opened 3 years ago Updated 4 months ago

Firefox is throwing "Uncaught DOMException: The operation is insecure." when using history.replaceState with URL containing basic auth

Categories

(Core :: DOM: Core & HTML, defect, P3)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

People

(Reporter: ondrejsynacek, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0

Steps to reproduce:

Create HTML document. Add Javascript that is using History API replaceState method to add query parameter to current URL when page is loaded.

HTML:

<!doctype html>

<html lang="en">
<head>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">

  <title>URL Test with basic auth</title>
  <meta name="description" content="Test for Firefox and handling of history API when basic auth is present">
  <meta name="author" content="Ondrej">

</head>

<body>
  <h1>URL Test</h1>

  <script>

    const addParameter = () => window.history.replaceState(null, '', '/?ok=1')
    window.addEventListener('DOMContentLoaded', () => {
      addParameter()
    })
  </script>
</body>
</html>

Now open the web page with URL that contains basic authentication. You can test this behaviour on this page that contains this document here.

Copy paste this text into your address bar: https://user:pass@offbeat-cattle.surge.sh

Actual results:

Query parameter is not updated in URL. Console throws:

Uncaught DOMException: The operation is insecure.

Expected results:

Query parameter should be updated to contain ?ok=1 string. No error should be thrown.

If this is expected behaviour, perhaps the error could be more specific (am I using the API wrong?)

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Core & HTML' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core
Severity: -- → S3
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3

I have the same issue, I have sonarr and radarr behind basic auth, have bookmarked it with the basic auth in the url... nothing works when I click anything because of that error... very annoying since I have to copy paste the url after logging in, and open it in a new tab.

You need to log in before you can comment on or make changes to this bug.