Spec WWW-Authenticate and Proxy-Authenticate handling in HTTP-network-or-cache fetch #1766
Labels
needs concrete proposal
Moving the issue forward requires someone to figure out a detailed plan
topic: http
Comments
annevk
added
topic: http
needs concrete proposal
gmta
added a commit
to gmta/ladybird
that referenced
this issue
Aug 13, 2024
If the HTTP 401 response we get does not contain a `WWW-Authenticate` header, we should not trigger the logic to ask the user for credentials and retry the request. This part is hinted at in a TODO / 'Needs testing' remark in the spec but needs to be fleshes out. Raised an upstream issue to do so: whatwg/fetch#1766
gmta
added a commit
to gmta/ladybird
that referenced
this issue
Aug 13, 2024
If the HTTP 401 response we get does not contain a `WWW-Authenticate` header, we should not trigger the logic to ask the user for credentials and retry the request. This part is hinted at in a TODO / 'Needs testing' remark in the spec but needs to be fleshes out. Raised an upstream issue to do so: whatwg/fetch#1766 This fixes login forms triggering an infinite fetch loop when providing incorrect credentials.
gmta
added a commit
to gmta/ladybird
that referenced
this issue
Aug 13, 2024
If a HTTP 401 response we get does not contain a `WWW-Authenticate` header, we should not trigger the logic to ask the user for credentials and retry the request. This part is hinted at in a TODO / 'Needs testing' remark in the spec but needs to be fleshes out. Raised an upstream issue to do so: whatwg/fetch#1766 This fixes login forms triggering an infinite fetch loop when providing incorrect credentials.
gmta
added a commit
to gmta/ladybird
that referenced
this issue
Aug 13, 2024
If a HTTP 401 response we get does not contain a `WWW-Authenticate` header, we should not trigger the logic to ask the user for credentials and retry the request. This part is hinted at in a TODO / 'Needs testing' remark in the spec but needs to be fleshed out. Raised an upstream issue to do so: whatwg/fetch#1766 This fixes login forms triggering an infinite fetch loop when providing incorrect credentials.
gmta
added a commit
to gmta/ladybird
that referenced
this issue
Aug 13, 2024
If a HTTP 401 response we get does not contain a `WWW-Authenticate` header, we should not trigger the logic to ask the user for credentials and retry the request. This part is hinted at in a TODO / 'Needs testing' remark in the spec but needs to be fleshed out. Raised an upstream issue to do so: whatwg/fetch#1766 This fixes login forms triggering an infinite fetch loop when providing incorrect credentials. Co-Authored-By: Victor Tran <[email protected]>
tcl3
pushed a commit
to LadybirdBrowser/ladybird
that referenced
this issue
Aug 13, 2024
If a HTTP 401 response we get does not contain a `WWW-Authenticate` header, we should not trigger the logic to ask the user for credentials and retry the request. This part is hinted at in a TODO / 'Needs testing' remark in the spec but needs to be fleshed out. Raised an upstream issue to do so: whatwg/fetch#1766 This fixes login forms triggering an infinite fetch loop when providing incorrect credentials. Co-Authored-By: Victor Tran <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What is the issue with the Fetch Standard?
The current HTTP-network-or-cache fetch specification leaves checking the
WWW-Authenticateheader open for interpretation; ignoring it might trigger an infinite HTTP 401 loop re-asking a username and password to send with the new requests:fetch/fetch.bs
Lines 5873 to 5874 in 4cb3cf2
Similarly, HTTP 407 handling has outstanding
Proxy-Authenticateheader handling that needs to be specced:fetch/fetch.bs
Lines 5918 to 5919 in 4cb3cf2
The text was updated successfully, but these errors were encountered: