Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow XMLHttpRequests to prevent password dialogs #6171

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Allow XMLHttpRequests to prevent password dialogs #6171

wants to merge 1 commit into from
+28 −2

Conversation

mdellweg
Copy link
Member

@mdellweg mdellweg commented Jan 2, 2025

When presented a WWW-Authenticate header with "Basic", a browser will always ask the user for a password, before returning the 401 response to the web application issuing the XHR in the first place. Returning a fake authentication method instead seems to be the common workaround pattern.

@mdellweg mdellweg force-pushed the XMLHttpRequest branch 2 times, most recently from 3e64f38 to 8c2d039 Compare January 2, 2025 14:28
@mdellweg
Allow XMLHttpRequests to prevent password dialogs
d0210d4 
When presented a WWW-Authenticate header with "Basic", a browser will
always ask the user for a password, before returning the 401 response to
the web application issuing the XHR in the first place.
Returning a fake authentication method instead seems to be the common
workaround pattern.
@mdellweg mdellweg marked this pull request as ready for review January 2, 2025 16:54
@mdellweg mdellweg enabled auto-merge (rebase) January 2, 2025 16:54
pedro-psb
pedro-psb reviewed Jan 3, 2025
View reviewed changes
Copy link
Member

@pedro-psb pedro-psb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That implementation looks straightforward, but I don't get the motivation. Isn't that expected when using a browser client?

@mdellweg
Copy link
Member Author

mdellweg commented Jan 4, 2025

The motivation is, that a web app can indicate this is an AJAX request. This is useful if you want the 401 response to be handed back to the JS part of the application right away (e.g. to redirect to a nice looking login page). Without this, the browser will find the "www-authenticate: Basic" and it will present its password dialog. There is no way to circumvent that on the client side.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pedro-psb pedro-psb pedro-psb left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
no-issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mdellweg @pedro-psb