Error auth LL-HLS over browser use external authentication

[pikachu937]

Which version are you using?

v0.22.2

Which operating system are you using?

• [x] Linux amd64 standard
• [ ] Linux amd64 Docker
• [ ] Linux arm64 standard
• [ ] Linux arm64 Docker
• [ ] Linux arm7 standard
• [ ] Linux arm7 Docker
• [ ] Linux arm6 standard
• [ ] Linux arm6 Docker
• [ ] Windows amd64 standard
• [ ] Windows amd64 Docker (WSL backend)
• [ ] macOS amd64 standard
• [ ] macOS amd64 Docker
• [ ] Other (please describe)

Describe the issue

When trying to view LL-HLS (with external authentication enabled) through the chrome/safari/firefox browser with authentication data (in the format https://login:password@ip:port/stream), the password is not accepted and a password entry window appears. If you enter the password manually, then viewing will be available. But this is not correct because the password has already been passed in the link.

Also, if I try to log in through curl(for example: curl https://login:password@ip:port/stream), then in the console I get html from the server, and in the server log I see successful authentication:

2023/05/03 21:15:54 DEB [HLS] [conn 192.168.1.77:50783] GET /path1/
2023/05/03 21:15:54 DEB [HLS] [conn 192.168.1.77:50783] [c->s] GET /path1/ HTTP/2.0
Host: 192.168.1.150:8888
Accept: /
Authorization: Basic
uybtiuytiITBnuygYGBrvytRYTrvy5tr55HJiuyn7FDFX7687ttvucytetyrexCTRCFVHGFBJHGJNJKHgdcGFdhgv8786fuyvViITBfstz643gfhxjgfxyetwt4ee65ifghcFXGXGFXKtr563w
User Agent: curl/7.86.0

2023/05/03 21:15:54 INF [HLS] [muxer path1] created (requested by 192.168.1.77)
2023/05/03 21:15:54 INF [HLS] [muxer path1] is converting into HLS, 1 track (H264)
2023/05/03 21:15:54 DEB [HLS] [conn 192.168.1.77:50783] [s->c] HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Content-Type: text/html
Server: mediamtx

UPD. The same problem is observed in webrtc as well

Describe how to replicate the issue

1. set params external authentication(externalAuthenticationURL: http://server_ext_auth/extauth/in.php) in mediamtx.yml
2. start the server
3. publish with gstreamer/ffmpeg or any methods working on this server
4. read with chrome/safari/firefox browser - https://login:password@ip:port/stream

Did you attach the server logs?

no

Did you attach a network dump?

no

[aler9]

Hello, passing credentials through the URL is blocked by all modern browsers for security reasons.

[pikachu937]

Hello, passing credentials through the URL is blocked by all modern browsers for security reasons.

but if you follow the link https://login:password@ip:port/stream/stream.m3u8, nothing is blocked, but in this case the playlist is downloaded, so the browser does not block authentication

[aler9]

I have to amend my previous answer: all modern browsers don't pass credentials to subresources if credentials have been set in the URL. More infos: https://chromestatus.com/feature/5669008342777856

anyway, this is not a server issue.

[github-actions[bot]]

This issue is being locked automatically because it has been closed for more than 6 months. Please open a new issue in case you encounter a similar problem.