New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 6 users

Issue metadata

Status: Duplicate
Merged: issue 123150
Owner: ----
Closed: May 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment
link

Issue 128323: XMLHttpRequest.open w/ username/password returns 401 in Chrome 19 (worked in 18)

Reported by goo...@katic.org, May 16 2012

Issue description

Chrome Version       : 19.0.1084.46
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
URLs (if applicable) : https://api.del.icio.us/v1/tags/get
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
     Safari 5: n/a
  Firefox 4.x: n/a
     IE 7/8/9: n/a

What steps will reproduce the problem?
1. Get a Delicious account (http://delicious.com) or use an existing one.
2. Install extension: https://chrome.google.com/webstore/detail/agabedjjbijfpccchcmpfpcdfnlpjkoj?hl=en-US
3. Try to log in with the Delicious account username and password.
4. It will say "Error: Unknown username or password. Please try to login again."
5. Inspecting the popup shows the 401 error.

What is the expected result?

  The extension is using XMLHttpRequest like this:

    request.open("GET", "https://api.del.icio.us/v1/tags/get", true, userName, password);

  This translates to this:

    https://myusername:mypassword@api.del.icio.us/v1/tags/get

  This should authenticate the GET request, and XML should be returned with the response from the API call.

  This worked in Chrome 18, and in previous versions stretching back over a year.

What happens instead?

  Delicious returns a "401 Unauthorized", and this XML: <?xml version="1.0" encoding="UTF-8"?><result code="access denied"/>

  It is as if Chrome is not actually sending the username/password at all anymore.

Please provide any additional information below. Attach a screenshot if
possible.

  The same issue is happening for the Pinboard API.

  https://api.pinboard.in/v1/tags/get

UserAgentString: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
 

Comment 1 by crab...@gmail.com, May 16 2012

This also applies to XMLHTTPRequests issued from files loaded from file:/// while in --disable-web-security mode.

Same behavior as above where the first request is given a 401 and no followup is sent.  Previously a 401 would occur and would be immediately followed-up by another request with the specified credentials.

Comment 2 by mpcomplete@chromium.org, May 17 2012

Cc: aa@chromium.org abarth@chromium.org
Labels: -Area-Undefined Area-Internals Feature-Extensions
Status: Available
This might be caused by content security policy. I'm not entirely sure how that works.

Comment 3 by asanka@chromium.org, May 18 2012

Cc: tsepez@chromium.org
Labels: -OS-Windows OS-All Internals-Network-Auth
Summary: XMLHttpRequest.open w/ username/password returns 401 in Chrome 19 (worked in 18)
Specifying the username/password in XMLHttpRequest.open(...) results in a URLRequest that has an embedded identity.

E.g.:
   request.open("GET", "http://example.com/foo", "user", "pass");
   ...will result in a request for "http://user:pass@example.com/foo

Chrome 19 dropped support for URL embedded identities (since http://crrev.com/120836). So the credentials in the URL aren't used to respond to the 401 challenge.

Comment 4 by goo...@katic.org, May 19 2012

Solution: I changed code to do basically this: 

http://coderseye.com/2007/how-to-do-http-basic-auth-in-ajax.html

I went with the jQuery / $.ajax option.

Comment 5 by cbentzel@chromium.org, May 21 2012

Mergedinto: 123150
Status: Duplicate

Comment 6 by bugdroid1@chromium.org, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
Mergedinto: chromium:123150
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 7 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Area-Internals -Feature-Extensions -Internals-Network-Auth Cr-Platform-Extensions Cr-Internals-Network-Auth Cr-Internals

Sign in to add a comment