HTTP Basic Authentication credentials in Google Chrome 64 not transfered to AJAX calls

[mhuber84]

Our project is protected by a HTTP Basic Authentication and we have to enter the username/password on every d3.json() call in Google Chrome.

It seems like in Google Chrome 64 there is a difference between xhr.open(method, url, true, user, password); with user=null and password=null and xhr.open(method, url, true);. In the second case http://mydomain is built as URL and the credentials from the browser cache are submitted and everything is fine. But in the first case a URL like http://null:null@mydomain is build which overwrites the cached credentials. And because the credentials are wrong the browser gives you the authenticate popup. You can see the URLs in the browser's developer toolbar in the network tab.

https://github.com/d3/d3-request/blob/62551679e4f8a0cbce222174db8dcbcf3b0fd437/src/request.js#L107

[mhuber84]

basicauth.zip is a minimal test case for this issue.

[nkabrown]

There is a bugfix and patch that should resolve this issue:

https://bugs.chromium.org/p/chromium/issues/detail?id=808018

https://bugs.chromium.org/p/chromium/issues/detail?id=808995