Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorisation header not sent for POST requests #628

Open
chrismatheson opened this issue Nov 7, 2017 · 5 comments
Open

Authorisation header not sent for POST requests #628

chrismatheson opened this issue Nov 7, 2017 · 5 comments
Labels
needs tests Moving the issue forward requires someone to write tests

Comments

@chrismatheson
Copy link

chrismatheson commented Nov 7, 2017
edited

Possibly I'm still not completely understanding all the ins and outs of browser security, but i think what I'm trying to achieve is relatively simple.

I have a page served 100% over HTTPS, I'm using basic auth, with the username & password being held by the browser and (should) be sent with every request from there onwards.

I have added the credentials: 'same-origin' to the fetch function call and for GET requests its included. but the same code path with a POST request does not include the header in the request.

fetch("/center/57023368c4d6931600216494", {headers: {"Content-Type": "application/json", Accept: "application/json"}, credentials: "same-origin", method: "GET"})

fetch("/users/find", {headers: {"Content-Type": "application/json", Accept: "application/json"}, credentials: "same-origin", method: "POST", body: "{\"center\":\"US testing\"}"})

I don't think this is a CORS issue since everything is talking to the same domain. Ive tried expanding to credentials: 'include' but no difference. And I've seen the problem in both Safari & Chrome.

There seems to be little or no feedback so I'm really stuck as to weather this is a spec / implementation issue or a browser issue or a "your not using the code correctly" issue, any help appreciated
@annevk
Copy link
Member

annevk commented Nov 7, 2017

It does not happen in Firefox?

Anything else special in your setup or can you indeed reproduce with just the bits stated in OP? If that's it, I'd file a bug against Chrome and Safari.

@chrismatheson
Copy link
Author

chrismatheson commented Nov 7, 2017
edited

@annevk in firefox the header is sent as expected :) Im reasonably sure this is a browser difference thing, i was filing here because I'm not sure of the specs desired behaviour for what I'm trying to do, so not sure if its a bug in the browser or possibly just behaviour not covered by the spec?

@annevk
Copy link
Member

annevk commented Nov 7, 2017

It's a bug. I recommend filing at https://crbug.com/new and https://bugs.webkit.org/enter_bug.cgi?product=WebKit&component=HTML%20DOM. I'm not sure to what extent we cover HTTP authentication in the test suite. It might be worth keeping this open until we have decent test coverage there. If you're interested in working on that let me know.

@chrismatheson
Copy link
Author

Bugs filed :
https://bugs.chromium.org/p/chromium/issues/detail?id=782621
https://bugs.webkit.org/show_bug.cgi?id=179422

@annevk did you mean working on the test coverage or the fix ? :)

@chrismatheson chrismatheson reopened this Nov 8, 2017
@annevk
Copy link
Member

annevk commented Nov 8, 2017

I meant test coverage. I don't have any sway over Chromium or WebKit. To the extent we have any test coverage it will be in the XMLHttpRequest/, fetch/, and cors/ directories of https://github.com/w3c/web-platform-tests.

@annevk annevk added the needs tests Moving the issue forward requires someone to write tests label Nov 24, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs tests Moving the issue forward requires someone to write tests
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chrismatheson @annevk