xmlhttprequest needs an alternate authentication method



15 years ago
9 years ago


(Reporter: Samuel Sieb, Assigned: Heikki Toivonen (remove -bugzilla when emailing directly))


Dependency tree / graph

Firefox Tracking Flags

(Not tracked)



(1 attachment)

6.18 KB, patch
Heikki Toivonen (remove -bugzilla when emailing directly)
: review-
Details | Diff | Splinter Review


15 years ago
Sometimes applications using xmlhttprequest don't want the password dialog to
pop up if authentication failed.  It would be nice to get a callback or possibly
just to not have the dialog and return an error if authentication fails.

Comment 1

15 years ago
if I'm right this bug blocks bug 197087.

Comment 2

15 years ago
Thank you.  I had lost track of this one.
Blocks: 197087

Comment 3

15 years ago
Created attachment 142679 [details] [diff] [review]
first proposed solution

this is a proposed idea to fix this bug more than a proposed patch.
I've compiled with these changes, but I haven't tested it (because I haven't a
testcase yet). But to make a first look it's ok, I think.


15 years ago
Attachment #142679 - Flags: review?(hjtoi-bugzilla)
Ariel, the problem is that we should avoid changing the XMLHttpRequest
interface. If that was ok, then this kind of approach would work, but the
property would need to be declared off limits to web pages in all.js because of
security reasons.

Since this thing would be called from code with chrome privileges, it seems like
you should be able to provide your own auth prompt implementation completely.
Maybe we'll just need a sample here to show how it's done, and this bug can then
be closed just by checking in a sample of how to do it, and not change any
XMLHttpRequest code.
Attachment #142679 - Flags: review?(hjtoi-bugzilla) → review-

Comment 5

15 years ago
I was thinking that I should be able to provide my own auth prompt. But I'm not
sure now. 
I intended to use nsIAuthPrompt like a listener interface, as to provide a
graphical independent way to get a username and a password.
If I want to use nsIAuthPrompt in that way (in JS) I need to compile its idl to
xpt, but I'm not sure if it's possible because I'll have a nsIAuthPrompt.h and
nsIAuthPrompt.xpt with the same uuid number.
So I'll try to extend nsIAuthPrompt with an empty interface with a different
uuid number. Please, if you have a better/cleaner way to do that let me know.

Comment 6

15 years ago
I was thinking... is ok to change "open" method ?
adding: xmlhttp.open( method, url, async, prompter ).

I can build a nsIAuthPrompt like:
var prompter = {
    prompt: function( dialogTitle, text, passwordRealm,
                      savePassword, defText, result)
      return this.promptPassword( dialogTitle, text, passwordRealm, 
                                  savePassword, result );
    promptPassword: function( dialogTitle, text, passwordRealm,
                              savePassword, pwd)
      return this.promptUsernameAndPassword( dialogTitle, text, passwordRealm,
                                             savePassword, new Object(), pwd );
    promptUsernameAndPassword: function( dialogTitle, text, passwordRealm,
                                         savePassword, user, pwd)
      /* here must be implemented a way to get username and password */
      user.value = "mr_user";
      pwd.value = "secret_pwd";
      return true;

but xmlhttp must to use it. 
how can I do that if I can't change the interface? :(

Comment 7

14 years ago
the interface for open is magical:

184    * Meant to be a script-only method for initializing a request.
185    * The parameters are similar to the ones detailed in the
186    * description of <code>openRequest</code>, but the last
187    * 3 are optional.
188    *
189    * Will abort currently active loads.
190    *
191    * After the initial response, all event listeners will be cleared.
192    * Call open() before setting new event listeners.
193    *
194    * @param method The HTTP method - either "POST" or "GET". Ignored
195    *               if the URL is not a HTTP URL.
196    * @param url The URL to which to send the request.
197    * @param async (optional) Whether the request is synchronous or
198    *              asynchronous i.e. whether send returns only after
199    *              the response is received or if it returns immediately 
200    *              sending the request. In the latter case, notification
201    *              of completion is sent through the event listeners.
202    *              The default value is true.
203    *              This argument must be true if the multipart
204    *              attribute has been set to true, or an exception will
205    *              be thrown.
206    * @param user (optional) A username for authentication if necessary.
207    *             The default value is the empty string
208    * @param password (optional) A password for authentication if necessary.
209    *                 The default value is the empty string
210    */
211   void   open(in AUTF8String method, in AUTF8String url);
note that it doesn't specify params 3 through 5.

it's fairly easy to change param 4 so that it accepts either an authprompt or a 

but you probably need to do a security check on that to disallow random content 
from providing the auth prompt.

This may actually affect me.

Comment 8

14 years ago
Did something related to this change between RC1 and RC2 of Firefox?

XMLHttpRequest used to ask for user name and password if needed. In RC2 it just
fails without the prompt.
(In reply to comment #8)
> Did something related to this change between RC1 and RC2 of Firefox?
> XMLHttpRequest used to ask for user name and password if needed. In RC2 it just
> fails without the prompt.

You should file a new bug for that.

Comment 10

14 years ago
Although if this is true, it's a good thing for xmlrpc...

Comment 11

13 years ago
the RC1 to RC2 failing on authentication is probably related to bug #268216. 
QA Contact: ashshbhatt → xml
You need to log in before you can comment on or make changes to this bug.