Open Bug 1775356 Opened 2 years ago Updated 1 year ago

XHR with credentials in URL blocked for unknown reason

Categories

(DevTools :: Netmonitor, defect, P3)

Product:
DevTools
Component:
Netmonitor
Type:
defect

Tracking

(Not tracked)

People

(Reporter: jdescottes, Unassigned)

References

Details

Attachments

(1 file)

http_log
(deleted), text/plain
Details

STRs:

ER: request should fail with 401
AR: The request will show up as Blocked, with no details.
On the server we end up on https://searchfox.org/mozilla-central/rev/230a641415c4212fe719279263e8ddf2a411aff1/devtools/server/actors/network-monitor/utils/network-utils.js#278, so we have no information from the platform about what caused the failure.

Some context: the URL uses "credentials in url" for basic http auth (https://user:pass@domain.com). Here "a:b" is not a valid user, but it should at least fail with a 401 (it does on chrome). The user who reported the issue has the same exact problem with valid credentials except they cannot be shared here. But using a:b is enough to see a discrepancy between Chrome and Firefox here.

On DevTools side we are not helpful because we don't show any relevant information to the user, but maybe there is also an issue on the Network side here?

Bomsy, dragana, do you know about potential similar issues?

Flags: needinfo?(hmanilla)
Flags: needinfo?(dd.mozilla)
Summary: XHR Blocked for unknown reason → XHR with credentials in URL blocked for unknown reason

Julian, thanks for filing.
There does not seem to be a directly related issue filed on the netmonitor end for this issue.

Flags: needinfo?(hmanilla)

I will take a look.

I tried to reproduce but I cannot. For me, it shows a prompt that web site what to send credentials.

Doo you have addons installed? Have you tried with a clean profile?
Can you create a HTTP log? See the HTTP Logging page for steps to capture HTTP logs.

The logs may contain cookies and all visited uri, please try to use a clean profile and do not visit privacy-sensitive sites.

Flags: needinfo?(dd.mozilla) → needinfo?(jdescottes)
Attached file http_log (deleted) — 
(In reply to Dragana Damjanovic [:dragana] from comment #3)
> I tried to reproduce but I cannot. For me, it shows a prompt that web site what to send credentials.
> 
> Doo you have addons installed? Have you tried with a clean profile?
> Can you create a HTTP log? See the [HTTP Logging](https://firefox-source-docs.mozilla.org/networking/http/logging.html) page for steps to capture HTTP logs.
> 
> The logs may contain cookies and all visited uri, please try to use a clean profile and do not visit privacy-sensitive sites.

Thanks for checking!

I used a clean profile. Just did it again on latest central + clean profile. I am using macos and artifact builds if that matters.

I am surprised you are seeing a prompt at all with those STRs? You are not supposed to navigate to https://a:b@coypu-fuseki.aksw.org/:
- open https://yasgui.triply.cc/
- write "https://a:b@coypu-fuseki.aksw.org/" in the input visible in that page
- press Enter

My http log is attached. (I had 3 tabs open: one on https://yasgui.triply.cc/, one on mozilla.org, one on about:networking)
Flags: needinfo?(jdescottes) → needinfo?(dd.mozilla)
Flags: needinfo?(dd.mozilla) → needinfo?(valentin.gosu)

Seems to be related to bug 1738251 comment 13.
I'll have a look if we can fix that - and what's the expected spec behaviour.

Depends on: 1738251
Flags: needinfo?(valentin.gosu)

Thanks, keeping the bug open to either add a devtools test or validate the fix once the blocking bug landed.

Severity: -- → S3
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: