Last Comment Bug 339530 - Basic auth fails with XMLHttpRequest
: Basic auth fails with XMLHttpRequest
Status: VERIFIED FIXED
: verified1.8.0.5, verified1.8.1
Product: Core
Classification: Components
Component: XML (show other bugs)
: 1.8 Branch
: x86 All
: -- major (vote)
: ---
Assigned To: Robert Sayre
: Ashish Bhatt
Mentors:
http://lab.dnet.nu/fftest
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-28 14:53 PDT by David Mårtensson
Modified: 2006-08-07 12:20 PDT (History)
3 users (show)
dveditz: blocking1.8.0.5+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
check for JSNULL/JSVOID (1.43 KB, patch)
2006-05-29 14:02 PDT, Robert Sayre
no flags Details | Diff | Splinter Review
check for JSNULL/JSVOID (1.40 KB, patch)
2006-05-29 14:23 PDT, Robert Sayre
peterv: review+
jst: superreview+
Details | Diff | Splinter Review
patch to check in (1.43 KB, patch)
2006-06-06 18:40 PDT, Robert Sayre
no flags Details | Diff | Splinter Review
patch for 1.8.0.x (1.50 KB, patch)
2006-06-11 23:30 PDT, Robert Sayre
dveditz: approval1.8.0.5+
Details | Diff | Splinter Review

Description David Mårtensson 2006-05-28 14:53:33 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3

When using basic authentication for the site, an XMLHttpRequest called in onLoad rerequests credentials instead of reusing the ones supplied when te page was first loaded.

Reproducible: Always

Steps to Reproduce:
1.Go to url: lab.dnet.nu/fftest
2.Enter username "fftest" and password "firefox"
Actual Results:  
.Immideatly a new loginrequest is opened and seconds later the XMLHttpRequest times out.




Expected Results:  
The xmlhttprequest should work and display a list of names

I have tested with long timeouts and it does not work anyway

This works with IE 6.0 and Opera 8.51


LiveHTTPHeaders gave me some interesting info.

Authorization: Basic ZmZ0ZXN0OmZpcmVmb3g=
Authorization: Basic bnVsbDpudWxs

The first line is the one used for fetching the page and all js files referenced.

The later line is the one sent by the XMLHttpRequest.

I belive the should be the same.

Here is the complete trace of the operation.



http://lab.dnet.nu/fftest

GET /fftest HTTP/1.1
Host: lab.dnet.nu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: sv,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

HTTP/1.x 401 Authorization Required
Date: Sun, 28 May 2006 22:34:01 GMT
Server: Apache/2.0.55 (Trustix Secure Linux/Linux) PHP/5.0.5 mod_perl/2.0.0 Perl/v5.8.7
WWW-Authenticate: Basic realm="Firefox Ajax Test"
Content-Length: 573
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
----------------------------------------------------------
http://lab.dnet.nu/fftest

GET /fftest HTTP/1.1
Host: lab.dnet.nu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: sv,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Basic ZmZ0ZXN0OmZpcmVmb3g=

HTTP/1.x 301 Moved Permanently
Date: Sun, 28 May 2006 22:34:06 GMT
Server: Apache/2.0.55 (Trustix Secure Linux/Linux) PHP/5.0.5 mod_perl/2.0.0 Perl/v5.8.7
Location: http://lab.dnet.nu/fftest/
Content-Length: 406
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
----------------------------------------------------------
http://lab.dnet.nu/fftest/

GET /fftest/ HTTP/1.1
Host: lab.dnet.nu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: sv,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Basic ZmZ0ZXN0OmZpcmVmb3g=

HTTP/1.x 200 OK
Date: Sun, 28 May 2006 22:34:06 GMT
Server: Apache/2.0.55 (Trustix Secure Linux/Linux) PHP/5.0.5 mod_perl/2.0.0 Perl/v5.8.7
Last-Modified: Sun, 28 May 2006 22:30:56 GMT
Etag: "369a-304-c15a6800"
Accept-Ranges: bytes
Content-Length: 772
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1
----------------------------------------------------------
http://lab.dnet.nu/lib/ajaxrequest.js

GET /lib/ajaxrequest.js HTTP/1.1
Host: lab.dnet.nu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3
Accept: */*
Accept-Language: sv,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://lab.dnet.nu/fftest/
If-Modified-Since: Sun, 28 May 2006 20:27:42 GMT
If-None-Match: "b6f4-44df-8a2eb80"
Authorization: Basic ZmZ0ZXN0OmZpcmVmb3g=

HTTP/1.x 304 Not Modified
Date: Sun, 28 May 2006 22:34:06 GMT
Server: Apache/2.0.55 (Trustix Secure Linux/Linux) PHP/5.0.5 mod_perl/2.0.0 Perl/v5.8.7
Connection: Keep-Alive
Keep-Alive: timeout=15, max=98
Etag: "b6f4-44df-8a2eb80"
----------------------------------------------------------
http://lab.dnet.nu/lib/layers4.js

GET /lib/layers4.js HTTP/1.1
Host: lab.dnet.nu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3
Accept: */*
Accept-Language: sv,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://lab.dnet.nu/fftest/
If-Modified-Since: Sun, 28 May 2006 20:28:43 GMT
If-None-Match: "b6d4-4329-c45b4c0"
Authorization: Basic ZmZ0ZXN0OmZpcmVmb3g=

HTTP/1.x 304 Not Modified
Date: Sun, 28 May 2006 22:34:06 GMT
Server: Apache/2.0.55 (Trustix Secure Linux/Linux) PHP/5.0.5 mod_perl/2.0.0 Perl/v5.8.7
Connection: Keep-Alive
Keep-Alive: timeout=15, max=99
Etag: "b6d4-4329-c45b4c0"
----------------------------------------------------------
http://null:null@lab.dnet.nu/fftest/server.php?cmd=logelist&AjaxRequestUniqueId=11488521949840

GET /fftest/server.php?cmd=logelist&AjaxRequestUniqueId=11488521949840 HTTP/1.1
Host: lab.dnet.nu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: sv,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Basic bnVsbDpudWxs

HTTP/1.x 401 Authorization Required
Date: Sun, 28 May 2006 22:34:06 GMT
Server: Apache/2.0.55 (Trustix Secure Linux/Linux) PHP/5.0.5 mod_perl/2.0.0 Perl/v5.8.7
WWW-Authenticate: Basic realm="Firefox Ajax Test"
Content-Length: 573
Keep-Alive: timeout=15, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
----------------------------------------------------------
Comment 1 David Mårtensson 2006-05-29 08:19:14 PDT
Made a test from my machine at work and there it works.

One difference I found was in the url sent from ajax.

he bad behaviour probably came from the null:null@ prepended to the url.


I will check my config if there is a plugin that caused this and if I can still repeat the error.


The last leg from my run at work:

http://lab.dnet.nu/fftest/server.php?cmd=logelist&AjaxRequestUniqueId=11489157125270

GET /fftest/server.php?cmd=logelist&AjaxRequestUniqueId=11489157125270 HTTP/1.1
Host: lab.dnet.nu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Basic ZmZ0ZXN0OmZpcmVmb3g=

HTTP/1.x 200 OK
Date: Mon, 29 May 2006 16:12:47 GMT
Server: Apache/2.0.55 (Trustix Secure Linux/Linux) PHP/5.0.5 mod_perl/2.0.0 Perl/v5.8.7
X-Powered-By: PHP/5.0.5
Content-Length: 1074
Keep-Alive: timeout=15, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
----------------------------------------------------------
Comment 2 David Mårtensson 2006-05-29 13:09:19 PDT
New test from home with -safe-mode.
Error persists.

I verified it on another computer at home, one XP proffesional and one Home edition.

But on the computer at work it apperently works, thats XP proffesional.

Either I have a plugin that neutrelizes the error at work or there is some other setting i FF that affects the error.

My work computer is the most customized regarding settings as it is the one I spend most time at.

I will continue to test at work to see if I can repeat the error there but I would appreciate if some one else could try it preferebly on linux or mac to eliminate OS dependensy.
Comment 3 Robert Sayre 2006-05-29 13:23:53 PDT
(In reply to comment #0)
> 
> I have tested with long timeouts and it does not work anyway
> 
> This works with IE 6.0 and Opera 8.51

OK, it looks like your Ajax library sends a user/pass even when they are null, and we are turning those into "null"/"null" creds. Probably bad, and I verified that it works in Opera.
Comment 4 Robert Sayre 2006-05-29 14:02:01 PDT
Created attachment 223720 [details] [diff] [review]
check for JSNULL/JSVOID
Comment 5 Robert Sayre 2006-05-29 14:13:42 PDT
I can verify this on Linux.
Comment 6 Robert Sayre 2006-05-29 14:23:32 PDT
Created attachment 223724 [details] [diff] [review]
check for JSNULL/JSVOID
Comment 7 David Mårtensson 2006-05-30 00:40:18 PDT
Retested at work with safe mode and then the error repeats it self.

Either this means that some extension fixes the error or theer is some setting in safe mode that does it.

I have the following extensions at work:

DOM Inspector 1.8.0.3
Talkback 1.5.0.3
Gmail Notifier 0.5.5.5
FirefoxView 0.31.2
Context Highlight 0.2
Context Search 0.2.1
Web Developer 1.0.2
Javascript Debugger 0.9.87
ColorZilla 0.8.3.1
Live HTTP Headers 0.11
J2SE Update 6
AdBlock Plus 0.5.11.3
Html Validator 0.7.9
Javascript Console Plus 0.1.2005042201
FireBug 0.4

Will supply a list from home later today.

Are there any other filer or settings you could use to identify the difference between safe mode and normal operation at work as this could narrow down the problem or offer a quick fix for users encountering the problem?
Comment 8 David Mårtensson 2006-05-30 11:31:33 PDT
I checked on the open function as it is described in MSDN and is states the following

==========================
sUser	Optional. Variant that specifies the name of the user for authentication. If this parameter is null ("") or missing and the site requires authentication, the component displays a logon window.

sPassword	Optional. Variant that specifies the password for authentication. This parameter is ignored if the user parameter is null ("") or missing.
=============================
http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/open.asp

And this
===============================
Although this method accepts credentials passed via parameter, those credentials are not automatically sent to the server on the first request. The bstrUser and bstrPassword parameters are not sent to the server unless the server challenges the client for credentials with a 401 - Access Denied response.
===============================
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xmlsdk/html/52aaf5ff-e302-4490-821a-cb3a085fe5ee.asp

I interptet this to mean that null values should ONLY be regardet if the server requests auth with an 401.  but as basic auth is sent in the call, the server  never requests authentication.

I also found this on W3.org
============================
Calling this method MUST initialise the object by remembering the method, uri, async (defaulting to true if omitted), user  (defaulting to null if omitted), and password (defaulting to null if omitted) arguments, setting the readyState  attribute to 1 (Open), resetting the responseText, responseXML, status, and statusText  attributes to their initial values, and resetting the list of request headers.

Same-origin security restrictions SHOULD apply.

If the URI given to this method contains a user name and a password (the latter potentially being the empty string), then these MUST be used if the user and password arguments are omitted. If the arguments are not omitted, they take precedence, even if they are null.
================================
http://www.w3.org/TR/XMLHttpRequest/

This does not state how to behave when auhthentication is not requested so I belive FF should go with the IE and Opera behaviour and suggest to W3 to include this in the draft for clarification.

I have tested all extensions and I have yet to find any solution to why this works with my FF at work but not at home or on my portable.

As for my sites requirements I can just change the ajaxrequest code so that the problem never arises. I will also contact the author of the library and inform him about the problem.

Still, this script is quite widely used, maybe just not with authentication so the problem can resurface.
Comment 9 Johnny Stenback (:jst, jst@mozilla.com) 2006-06-05 18:03:55 PDT
Comment on attachment 223724 [details] [diff] [review]
check for JSNULL/JSVOID

       if (argc > 3) {
         JSString* userStr = ::JS_ValueToString(cx, argv[3]);
 
-        if (userStr) {
+        if (userStr && !JSVAL_IS_NULL(argv[3]) && !JSVAL_IS_VOID(argv[3])) {

Any reason not to add the null and undefined checks to the earlier if (argc > 3) check here to avoid calling JS_ValueToString() on a value we know we won't be using?

           user.Assign(NS_REINTERPRET_CAST(PRUnichar *,
                                           ::JS_GetStringChars(userStr)),
                       ::JS_GetStringLength(userStr));
         }
 
         if (argc > 4) {
           JSString* passwdStr = JS_ValueToString(cx, argv[4]);
 
-          if (passwdStr) {
+          if (passwdStr && !JSVAL_IS_NULL(argv[4]) && !JSVAL_IS_VOID(argv[4])) {

Same here.

sr=jst with that.
Comment 10 Robert Sayre 2006-06-05 18:21:04 PDT
(In reply to comment #9)
> 
> Any reason not to add the null and undefined checks to the earlier if (argc >
> 3) check here to avoid calling JS_ValueToString() on a value we know we won't
> be using?

That's how I had it originally, but then I thought about the case of an empty username and non-empty password (which could definitely happen with this dhtml library). I looked at the WHATWG spec, but didn't see anything on that case. I figured OpenRequest should be the place where that decision is made.

Happy to change it back, though
Comment 11 Robert Sayre 2006-06-06 18:40:36 PDT
Created attachment 224645 [details] [diff] [review]
patch to check in
Comment 12 Robert Sayre 2006-06-06 18:42:42 PDT
(In reply to comment #11)
> Created an attachment (id=224645) [edit]
> patch to check in
> 

/cvsroot/mozilla/content/base/src/nsXMLHttpRequest.cpp,v  <--  nsXMLHttpRequest.cpp
new revision: 1.156; previous revision: 1.155
done
Comment 13 Daniel Veditz [:dveditz] 2006-06-07 15:34:07 PDT
Please land on the 1.8 branch and add the approval1.8.0.5? flag to the right attachment. Thanks
Comment 14 Robert Sayre 2006-06-11 19:51:09 PDT
landed on 1.8:

/cvsroot/mozilla/content/base/src/nsXMLHttpRequest.cpp,v  <--  nsXMLHttpRequest.cpp
new revision: 1.156.2.2; previous revision: 1.156.2.1
done
Comment 15 Robert Sayre 2006-06-11 23:30:45 PDT
Created attachment 225238 [details] [diff] [review]
patch for 1.8.0.x
Comment 16 Daniel Veditz [:dveditz] 2006-06-12 11:38:51 PDT
Comment on attachment 225238 [details] [diff] [review]
patch for 1.8.0.x

approved for 1.8.0 branch, a=dveditz for drivers
Comment 17 Daniel Veditz [:dveditz] 2006-06-12 11:42:17 PDT
(In reply to comment #13)
> Please land on the 1.8 branch and add the approval1.8.0.5? flag

I should have been clearer, we (1.8.0.x drivers) want it landed on the 1.8 branch first, but you needed to get 1.8.1 approval from appropriate module owners to do so. That's part of our test: if they don't approve it for 1.8.1 then it's certainly not appropriate for 1.8.0.x

No harm done, though.
Comment 18 Robert Sayre 2006-06-18 19:32:58 PDT
Checking in nsXMLHttpRequest.cpp;
/cvsroot/mozilla/extensions/xmlextras/base/src/Attic/nsXMLHttpRequest.cpp,v  <--  nsXMLHttpRequest.cpp
new revision: 1.134.2.7.2.1; previous revision: 1.134.2.7
done
Comment 19 Zach Lipton [:zach] 2006-06-20 12:38:40 PDT
Verified fixed on mac 1.5.0. branch build id 2006062008

Note You need to log in before you can comment on or make changes to this bug.