Closed Bug 355861 Opened 14 years ago Closed 14 years ago

'Save Link As' does not prompt for HTTP authentication when new realm encountered


(Firefox :: File Handling, defect)

Windows XP
Not set





(Reporter: nashjunk, Unassigned)


User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20060909 Firefox/

The scenario for this problem is a domain ( that uses HTTP authentication and a second domain ( that uses HTTP authentication for file serving. The user logs into the main site and then selects a download link and chooses "Save Link As". Firefox has not authenticated to the "" site yet, so it does not present the HTTP Basic authentication string in its request. Instead of prompting the user for login information, it simply ignores the 401 header it receives and downloads the "invalid login" page that the web server serves up upon invalid authentication. However, if you LEFT click the download link, FireFox correctly prompts the user for authentication information and proceeds to log in and download. Even if the password manager has the correct login information, it will still not use it. 

FireFox 1.04 used to send a "HEAD" first before the Save Link As, and hence would prompt for login information and did not exhibit the behavior that 1.5+ shows. IE will also prompt for login information as expected.

Reproducible: Always

Steps to Reproduce:
1. Do a "Save Link As" on a HTTP-Authenticated realm that FireFox has not logged into this session.
2. Instead of prompting for a username/password as expected, FireFox downloads the web server's "invalid login" message.

Actual Results:  
FireFox downloads the "invalid login" HTML page from the web server, rather than the file that we selected with "Save Link As".

Expected Results:  
FireFox should rather prompt for login information upon encountering the HTTP 401 header, and then issue another request with the Basic authentication header in place to correctly download the protected file. See the behavior found in 1.04 and in IE.

I have seen other bugs related to 1.5's change of behavior (skipping the HEAD request in 'Save Link As') affecting Content-Disposition and so on, but nothing regarding how this breaks HTTP Authentication.

Users are accustomed to using Save Link As to download files, and this new behavior has broken this functionality for protected files in realms FireFox has not logged into yet during a session. It also, illogically, ignores the Password Manager.

This can be resolved by prompting the user for login information upon encountering a 401 header during Save Link As, or by restoring the previous behavior of prefacing a Save Link As request with a "HEAD" request.

*** This bug has been marked as a duplicate of 315227 ***
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.