window.fetch fails when using a relative url from the context of a url with inline HTTP basic credential
Reported by
hmottes...@gmail.com,
Mar 19 2016
|
|||||||||||
Issue description
Chrome Version : 49.0.2623.87 (64-bit)
URLs (if applicable) : https://test:test@www.google.no/
Other browsers tested:
Add OK or FAIL, along with the version, after other browsers where you
have tested this issue:
Safari: OK
Firefox:
IE:
What steps will reproduce the problem?
(1) Go to a webpage that uses https and inline basic credentials
(2) Execute in console: window.fetch(".")
(3)
What is the expected result?
A GET request against https://www.google.no/. or https://test:test@www.google.no/.
What happens instead?
Error with message: Request cannot be constructed from a URL that includes credentials: .
Please provide any additional information below. Attach a screenshot if
possible.
Executing window.fetch(window.location.origin+".", {credentials: 'same-origin'}) will in fact work, however it gets stopped by CORS. I have check against a site with a lax CORS, and then it works fine.
,
Mar 21 2016
,
Mar 21 2016
I just tested this is on v 48.0.2564.116 (64-bit) and it works fine.
I tried window.fetch(".") and window.fetch("/hello") and they both show up in the network logs (XHR) as http://test:test@www.google.no/ and http://test:test@www.google.no/hello respectively.
If I add {credentials: 'same-origin'} it also sends the cookie. I also tested this on a site that requires http basic auth, and then it sends the correct Authorization header.
So this is a regression for me.
,
Mar 22 2016
It is specified in https://fetch.spec.whatwg.org/#dom-request If parsedURL includes credentials, throw a TypeError. and was implemented as https://chromium.googlesource.com/chromium/src/+/1c2ac08f854e4b5f668c8e8f148fcb6679d2e34e. I think it works as intended.
,
Mar 22 2016
,
Mar 22 2016
I found that same code. And it does look intended. There doesn't seem to be an explanation for why the spec doesn't allow credentials, and it is probably an omission to not handle relative urls independently of absolute urls. Credentials in absolute urls may be bad. But relative urls only have credentials because of their base url, which is already ratified by the browser.
,
Mar 22 2016
Have you read below threads? - https://github.com/whatwg/fetch/issues/26 - https://bugs.chromium.org/p/chromium/issues/detail?id=474439 If you want to change a spec-conformant behavior, the spec issue tracker would be the right place to talk.
,
Mar 22 2016
Thank you for providing more feedback. Assigning to requester "ssamanoori@chromium.org" for another review. For more details visit https://sites.google.com/a/chromium.org/dev/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 29 2016
Tested the issue on Windows 7 using 49.0.2623.87, latest stable 49.0.2623.110 with below steps: 1.Opened URL: https://www.google.no/ 2.Navigated to dev tools->console and typed 'window.fetch(".")'. 3.Observed the result as in screenshot. 4.Observed the same behavior in chrome 48.0.2564.116 version. Please find attached screenshot and update if anything missed here in triaging the issue. hmottestad@Could you please provide actual and expected behavior screenshots for better understanding the issue to triage it further.
,
Mar 29 2016
Try: https://test:test@www.google.no/
,
Mar 29 2016
Thank you for providing more feedback. Adding requester "ssamanoori@chromium.org" for another review and adding "Needs-Review" label for tracking. For more details visit https://sites.google.com/a/chromium.org/dev/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 31 2016
Tested the issue on Windows 7 using 49.0.2623.87, latest stable 49.0.2623.110 with below steps:
1.Opened URL: https://test:test@www.google.no/
2.Navigated to dev tools->console and typed 'window.fetch(".")'.
3.Observed an error saying "Request cannot be constructed from a URL that includes credentials" in M-49.
4.Observed the differeny behavior in chrome 48.0.2564.116 version.
5.Observed different error in M-40 and M-30 versions of chrome.
hmottestad@Could you please provide expected behavior screenshot for better understanding the issue to triage it further.
,
Mar 31 2016
ssamanoori@chromium.org window.fetch("anything/goes/here") when on a page with inline basic auth worked fine in v48 but stopped working in v49. As pointed out by yhirano@chromium.org, this is actually spec compliant. I very much disagree with the spec, since it breaks behaviour that works with XMLHttpRequest and breaks behaviour that is part of the http standard. I have aired by concerns on https://github.com/whatwg/fetch/issues/26.
,
Apr 1 2016
Thank you for providing more feedback. Adding requester "ssamanoori@chromium.org" for another review and adding "Needs-Review" label for tracking. For more details visit https://sites.google.com/a/chromium.org/dev/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 7 2016
Unable to reproduce the issue on Windows 7 using latest stable 49.0.2623.110, canary 51.0.2701.0 as per steps in comment #9. Please find attached screenshot. hmottestad@Could you please check the issue on clean profile and update your observations.
,
Apr 7 2016
OK, I'm taking this bug but I will not change the implementation until the standard discussion settles. I don't have a strong opinion which is right: hiroshige@, can you express your opinion on the github issue https://github.com/whatwg/fetch/issues/26?
,
Jul 25 2016
Close this issue as the spec issue is closed. https://github.com/whatwg/fetch/issues/26?#issuecomment-234557734 |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by brajkumar@chromium.org
, Mar 21 2016