Closed
Bug 1159584
Opened 9 years ago
Closed 9 years ago
Unable to load images from other NTLM authenticated servers
Categories
(Core :: Networking, defect)
Core
Networking
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: abartlet, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.2
Build ID: 20150420231403
Steps to reproduce:
With apache config:
<Directory "/var/www/html/auth">
AuthName "NTLM Authentication thingy"
NTLMAuth on
NTLMAuthHelper "/data/samba/samba4/prefix/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --password=password -d100"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
</Directory>
Hosts:
127.0.1.1 ruth ntlm1 ntlm2 ntlm3 ntlm4
And the attached file (supply own logo to use as test image)
Access http://localhost/auth
Enter username (any), password (password)
Actual results:
The images on hosts ntlm{1,2,3,4} do not load.
The network trace (also attached) shows no attempt at NTLM authentication, after the web server prompts for it with a 401.
Expected results:
As per Iceweasel 37.0.2, load all the images after prompting for credentials.
Reporter | ||
Comment 1•9 years ago
|
||
Reporter | ||
Comment 2•9 years ago
|
||
Bisection with mozregression shows
13:55.39 LOG: MainThread Bisector INFO Last good revision: 98ea146e6f51
13:55.39 LOG: MainThread Bisector INFO First bad revision: e7c656feac7f
13:55.39 LOG: MainThread Bisector INFO Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=98ea146e6f51&tochange=e7c656feac7f
This appears to be a deliberate change in bug 647010.
https://hg.mozilla.org/integration/mozilla-inbound/rev/2e642b4f35c4
Reporter | ||
Updated•9 years ago
|
Comment 4•9 years ago
|
||
Bug 647010 disabled the prompt for the authentication for the cross-origin subresources. Actually there is a pref for this so it can be allowed.
Here subresources is cross-origin because first request is to localhost and the sub-requests are to ntlm (1,2,3) so they are not the same but they are actually the same host the same ip address. it could be possible to take ip address into account but i am not sure how common is such a case in the internet.
I think it is fine to leave it like this.
Flags: needinfo?(dd.mozilla)
Reporter | ||
Comment 5•9 years ago
|
||
Thanks, I do agree with this analysis. I suspect that this will hit intranet use - because in the IE and NTLM-authentication dominated intranet, application developers and their target IE on Windows users do not notice that their resources are being served from more than one server or name.
I wasn't hoping for the IP address to count, that was just how I was trying to confirm that multiple concurrent NTLM authentication requests were not broken. I set that preference (network.auth.allow-subresource-auth = 2) to permit that testing.
Comment 6•9 years ago
|
||
I will close this bug. Maybe we will have a problem when this feature reaches release, but then changing pref will fix it.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
Comment 7•9 years ago
|
||
Terrible fix....lazy fix.... a "we don't give a F" fix. Just shut the whole thing down instead of implementing a smart embedded warning/exception storing fix. Another blow to the usability and utility of Firefox.
You need to log in
before you can comment on or make changes to this bug.
Description
•