XHR with credentials in URL blocked for unknown reason
Categories
(DevTools :: Netmonitor, defect, P3)
Tracking
(Not tracked)
People
(Reporter: jdescottes, Unassigned)
References
Details
Attachments
(1 file)
(deleted),
text/plain
|
Details |
STRs:
- go to https://yasgui.triply.cc/
- open devtools -> network
- in the input on the top left, paste https://a:b@coypu-fuseki.aksw.org/
- press Enter
ER: request should fail with 401
AR: The request will show up as Blocked, with no details.
On the server we end up on https://searchfox.org/mozilla-central/rev/230a641415c4212fe719279263e8ddf2a411aff1/devtools/server/actors/network-monitor/utils/network-utils.js#278, so we have no information from the platform about what caused the failure.
Some context: the URL uses "credentials in url" for basic http auth (https://user:pass@domain.com). Here "a:b" is not a valid user, but it should at least fail with a 401 (it does on chrome). The user who reported the issue has the same exact problem with valid credentials except they cannot be shared here. But using a:b is enough to see a discrepancy between Chrome and Firefox here.
On DevTools side we are not helpful because we don't show any relevant information to the user, but maybe there is also an issue on the Network side here?
Bomsy, dragana, do you know about potential similar issues?
Reporter | ||
Updated•2 years ago
|
Comment 1•2 years ago
|
||
Julian, thanks for filing.
There does not seem to be a directly related issue filed on the netmonitor end for this issue.
Comment 2•2 years ago
|
||
I will take a look.
Comment 3•2 years ago
|
||
I tried to reproduce but I cannot. For me, it shows a prompt that web site what to send credentials.
Doo you have addons installed? Have you tried with a clean profile?
Can you create a HTTP log? See the HTTP Logging page for steps to capture HTTP logs.
The logs may contain cookies and all visited uri, please try to use a clean profile and do not visit privacy-sensitive sites.
Reporter | ||
Comment 4•2 years ago
|
||
(In reply to Dragana Damjanovic [:dragana] from comment #3) > I tried to reproduce but I cannot. For me, it shows a prompt that web site what to send credentials. > > Doo you have addons installed? Have you tried with a clean profile? > Can you create a HTTP log? See the [HTTP Logging](https://firefox-source-docs.mozilla.org/networking/http/logging.html) page for steps to capture HTTP logs. > > The logs may contain cookies and all visited uri, please try to use a clean profile and do not visit privacy-sensitive sites. Thanks for checking! I used a clean profile. Just did it again on latest central + clean profile. I am using macos and artifact builds if that matters. I am surprised you are seeing a prompt at all with those STRs? You are not supposed to navigate to https://a:b@coypu-fuseki.aksw.org/: - open https://yasgui.triply.cc/ - write "https://a:b@coypu-fuseki.aksw.org/" in the input visible in that page - press Enter My http log is attached. (I had 3 tabs open: one on https://yasgui.triply.cc/, one on mozilla.org, one on about:networking)
Reporter | ||
Updated•2 years ago
|
Updated•2 years ago
|
Comment 5•1 year ago
|
||
Seems to be related to bug 1738251 comment 13.
I'll have a look if we can fix that - and what's the expected spec behaviour.
Reporter | ||
Comment 6•1 year ago
|
||
Thanks, keeping the bug open to either add a devtools test or validate the fix once the blocking bug landed.
Description
•