Support for embedded credentials in subresource requests is NOT DROPPED.
Reported by
k7r...@gmail.com,
Sep 21 2017
|
|||||||||
Issue descriptionChrome Version : 'Version 61.0.3163.91' URLs (if applicable) :https://USERNAME:PASSWORD@qa8.genqa/PlatformManagementService/showGeoLocation/" Other browsers tested: Not tested in other browser.We use Chrome browser completely. What steps will reproduce the problem? (1)HTTP Request - entered the URL https://USERNAME:PASSWORD@qa8.genqa/PlatformManagementService/showGeoLocation/" (2)Entered the input values (3)Clicked Post Submit button. What is the expected result? After 3) It Should ask for Authentication Required window appears asking for Username and password. What happens instead? As username and password specified in the URL,it doesnt ask for Authentication Credentials. DETAIL EXPLANATION: ******************* I am working for Software Company as a Software Tester- Automation. I am automating manual behavior of Web Application. usecase: Automate - Send HTTP request(url) and verify the expected JSON response. Steps: follow above step 1),2) and step 3) After Step 3), Authentication Window appears asking for Username and Password. As i have entered the username and password in the url, it doesn't ask for credentials. This feature support is stopped after chrome v_59 release . But i am using latest one v_61 Enclosed Doc with Images for Reference.
,
Sep 22 2017
Thanks for the report. Did you see the same procedure worked in prior version of Chrome (e.g. M60), while you see it is not working in M61? Or is it just not what you expect? Routing to Internals>Network>Auth so if anyone can confirm this is an expected behavior or not.
,
Sep 22 2017
I don't really understand the report. If you're talking about typing a URL containing `username:password` in the omnibox, then it's expected not to fail. The changes we made somewhat recently blocked embedded credentials in subresource requests only, not in top-level navigations. Does that cover what you're reporting?
,
Sep 22 2017
Hi. As per https://www.chromestatus.com/feature/5669008342777856 . says "We should block requests for subresources that contain embedded credentials (e.g. "http://ima_user:hunter2@example.com/yay.tiff"). Such resources would be handled as network errors." In my automation script, i tried the same (https://username:password@url.com/geolocation) . As per your recent changes, i should get network error or should not bypass authentication window. In Simple: 1.passing url without UserName and Password in it. eg) http://url.com/geolocation Authentication required Window pop up appears asking for username and password. 2.Passing Url WITH username and pass in it. eg)https://username:password@url.com/geolocation Authentication required window pop up doesnt appear or i dont see any error displaying and its bypassing the authentication window. This Functionality passing Username and password in url is DROPPED after Chrome V_59. Other people also reporting same .pls refer demouser123 comment https://sqa.stackexchange.com/questions/29514/how-to-handle-windows-authentication-pop-up-with-protractor thanks
,
Sep 22 2017
> As per https://www.chromestatus.com/feature/5669008342777856 . > says "We should block requests for subresources that contain > embedded credentials (e.g. "http://ima_user:hunter2@example.com/yay.tiff"). > Such resources would be handled as network errors." "Subresources" is an important word in that first sentence. We changed the way things like `<script src="https://username:password@example.com/">` works. We did not change the way top-level navigation works (at least, not intentionally). If you type `http://username:password@example.com/` into the omnibox, that request will be authenticated if the server requests authentication. If you're using an automation tool like Selenium to instruct the browser to navigate the top-level window, the same applies: we haven't changed the behavior of those navigations. Is that what we're talking about? Or is `https://username:password@url.com/geolocation` being loaded in an iframe?
,
Sep 22 2017
OK . Thanks for the clarification.
,
Sep 22 2017
@Reporter as per comment #5,It seems you got clarification for this issue, if yes, can we close this? Thanks!
,
Sep 22 2017
Yes, Pls go ahead in closing this .
,
Sep 22 2017
Thank you for providing more feedback. Adding requester "sc00335628@techmahindra.com" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 22 2017
|
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by ligim...@chromium.org
, Sep 21 2017