Open Bug 221943 Opened 21 years ago Updated 2 years ago

xmlhttprequest needs an alternate authentication method

Categories

(Core :: XML, defect)

Product:
Core
Component:
XML
Type:
defect

Tracking

()

People

(Reporter: samuel, Unassigned)

References

Details

Attachments

(1 file)

first proposed solution
6.18 KB, patch
hjtoi-bugzilla
: review-
Details | Diff | Splinter Review 
Sometimes applications using xmlhttprequest don't want the password dialog to
pop up if authentication failed.  It would be nice to get a callback or possibly
just to not have the dialog and return an error if authentication fails.
if I'm right this bug blocks bug 197087.
Thank you.  I had lost track of this one.
Blocks: 197087
this is a proposed idea to fix this bug more than a proposed patch.
I've compiled with these changes, but I haven't tested it (because I haven't a
testcase yet). But to make a first look it's ok, I think.
Attachment #142679 - Flags: review?(hjtoi-bugzilla)
Ariel, the problem is that we should avoid changing the XMLHttpRequest
interface. If that was ok, then this kind of approach would work, but the
property would need to be declared off limits to web pages in all.js because of
security reasons.

Since this thing would be called from code with chrome privileges, it seems like
you should be able to provide your own auth prompt implementation completely.
Maybe we'll just need a sample here to show how it's done, and this bug can then
be closed just by checking in a sample of how to do it, and not change any
XMLHttpRequest code.
Attachment #142679 - Flags: review?(hjtoi-bugzilla) → review-
I was thinking that I should be able to provide my own auth prompt. But I'm not
sure now. 
I intended to use nsIAuthPrompt like a listener interface, as to provide a
graphical independent way to get a username and a password.
If I want to use nsIAuthPrompt in that way (in JS) I need to compile its idl to
xpt, but I'm not sure if it's possible because I'll have a nsIAuthPrompt.h and
nsIAuthPrompt.xpt with the same uuid number.
So I'll try to extend nsIAuthPrompt with an empty interface with a different
uuid number. Please, if you have a better/cleaner way to do that let me know.
I was thinking... is ok to change "open" method ?
adding: xmlhttp.open( method, url, async, prompter ).

I can build a nsIAuthPrompt like:
var prompter = {
    prompt: function( dialogTitle, text, passwordRealm,
                      savePassword, defText, result)
    {
      return this.promptPassword( dialogTitle, text, passwordRealm, 
                                  savePassword, result );
    },
    promptPassword: function( dialogTitle, text, passwordRealm,
                              savePassword, pwd)
    {
      return this.promptUsernameAndPassword( dialogTitle, text, passwordRealm,
                                             savePassword, new Object(), pwd );
    },
    promptUsernameAndPassword: function( dialogTitle, text, passwordRealm,
                                         savePassword, user, pwd)
    {
      /* here must be implemented a way to get username and password */
      user.value = "mr_user";
      pwd.value = "secret_pwd";
      return true;
    }
}

but xmlhttp must to use it. 
how can I do that if I can't change the interface? :(
the interface for open is magical:

184    * Meant to be a script-only method for initializing a request.
185    * The parameters are similar to the ones detailed in the
186    * description of <code>openRequest</code>, but the last
187    * 3 are optional.
188    *
189    * Will abort currently active loads.
190    *
191    * After the initial response, all event listeners will be cleared.
192    * Call open() before setting new event listeners.
193    *
194    * @param method The HTTP method - either "POST" or "GET". Ignored
195    *               if the URL is not a HTTP URL.
196    * @param url The URL to which to send the request.
197    * @param async (optional) Whether the request is synchronous or
198    *              asynchronous i.e. whether send returns only after
199    *              the response is received or if it returns immediately 
after
200    *              sending the request. In the latter case, notification
201    *              of completion is sent through the event listeners.
202    *              The default value is true.
203    *              This argument must be true if the multipart
204    *              attribute has been set to true, or an exception will
205    *              be thrown.
206    * @param user (optional) A username for authentication if necessary.
207    *             The default value is the empty string
208    * @param password (optional) A password for authentication if necessary.
209    *                 The default value is the empty string
210    */
211   void   open(in AUTF8String method, in AUTF8String url);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
note that it doesn't specify params 3 through 5.

it's fairly easy to change param 4 so that it accepts either an authprompt or a 
string.

but you probably need to do a security check on that to disallow random content 
from providing the auth prompt.

This may actually affect me.
Did something related to this change between RC1 and RC2 of Firefox?

XMLHttpRequest used to ask for user name and password if needed. In RC2 it just
fails without the prompt.
(In reply to comment #8)
> Did something related to this change between RC1 and RC2 of Firefox?
> 
> XMLHttpRequest used to ask for user name and password if needed. In RC2 it just
> fails without the prompt.

You should file a new bug for that.
Although if this is true, it's a good thing for xmlrpc...
the RC1 to RC2 failing on authentication is probably related to bug #268216.
QA Contact: ashshbhatt → xml

The bug assignee didn't login in Bugzilla in the last 7 months, so the assignee is being reset.

Assignee: hjtoi-bugzilla → nobody
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: