Closed geothird closed 4 years ago
For anyone looking for a workaround to this, if you are proxying through a web server you can strip the header:
# Apache
Header unset WWW-Authenticate
# Nginx
proxy_hide_header WWW-Authenticate;
+1 Can hide WWW-Authenticate with an option would be a better solution.
It's worth pointing out that this behaviour is contrary to RFC 7235:
The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The server generating a 401 response MUST send a WWW-Authenticate header field (Section 4.1) containing at least one challenge applicable to the target resource.
Yes, I know. Do not want to challenge the spec, but the problem is browser will handle this natively (popup a dialog), there's no way we can disable it.
I think provide a option and set default as normal only when developer really need to turn it off should be a acceptable solution.
What happened with this, is there another workaround? Safari is giving us issues, we get the native login popup even when we're just doing an jquery call.
+1
Setting this option to true will not send the header just a 401. This is used to prevent native browser authentication popups.