.netrc ignored temporarily

[sid-code]

Version info (see :version): v1.5.1

Does the bug happen if you start with --temp-basedir? (if applicable): This can't really be reproduced with a temporary basedir because it involves closing qutebrowser, re-opening, and resuming the tab from the suspended state.

Description The .netrc is ignored when a tab wakes up from being suspended. The incredibly irritating modal password prompt shows up for some random .css file loaded by the page. I can dismiss it (press escape) and refresh the page and it won't show up again.

How to reproduce

1. Set up .netrc for a page with a password
2. Make sure qutebrowser resumes with suspended tabs
3. Open the tab, and close qutebrowser
4. reopen qutebrowser and switch to the suspended .netrc-using tab
5. qutebrowser asks for the password for a random .css file loaded by the site. Dismiss the popup and refresh, and no password will be asked.

[toofar]

I tried testing with https://httpbin.org/basic-auth/user/password and could not reproduce. In fact switching to that tab (so un-suspending it) didn't even cause _on_authentication_required to get entered, I had to reload. I guess it loaded from cache (disabling the cache in the inspector didn't help). I also tried with a local app so I could test it with a css file, still couldn't reproduce, nor with an image from another origin, nor with a style link added via JS.

I'm on Qt 5.11.1. Do you have a public test site? Instead of using --temp-basedir you can use --basedir /tmp/basic-auth-test/ to make a clean basedir and re-use that for the second run.

[The-Compiler]

I can reproduce that with crashes.qutebrowser.org which I have in my netrc file, even without having to restart. It happens because netrc is only used once until a new page is loaded (because we can't detect wrong passwords, so that'd be an endless loop otherwise). Instead, we probably should have a list of URLs where netrc was already used or so.

[sid-code]

@toofar

Do you have a public test site?

I've just put one up: https://skulk.org/netrc auth: general:password

There is a css file on that page. However, I cannot reproduce this exact issue, as it never asks for any password on that website even if I resume it from a suspended state. The offending web application that I'm using must be doing something funky to trick qutebrowser into asking for a password.

@The-Compiler

Thanks for putting time into this. I'm not entirely understanding what this sentence means in the context of this issue:

netrc is only used once until a new page is loaded

How does this cause qutebrowser to ask for my password for a random css file served under that domain? I'm reading through all the relevant code I can find, so if I can understand the issue I'll attempt to fix it.

[The-Compiler]

Here's what (I think) happens:

• load starts (netrc_used gets unset)
• page itself gets loaded, qutebrowser supplies credentials via netrc and sets netrc_used
• CSS gets loaded, qutebrowser doesn't use netrc anymore because netrc_used is set

The problem that netrc_used is trying to solve is what happens when the password is wrong:

• load starts
• page gets loaded, qutebrowser supplies wrong credentials automatically
• QtWebEngine asks for credentials again
• qutebrowser gives it the same credentials
• repeat until the computer gets bored

[sid-code]

I understand now. However, why does this not happen on my test site https://skulk.org/netrc (general:password) which loads a htpasswd-protected css file? Is it because the distance (temporally) between the two password-protected requests is so small that qutebrowser ends up doing the right thing?

[The-Compiler]

I don't know. I'd expect QtWebEngine to not even ask for a password twice (because it should know that the same password is still valid), but it does.

[sid-code]

Hey, I think I've actually fixed it by doing what you said! I replaced netrc_used: bool in the TabData class with netrc_used_for: dict[url, bool] and changed some code and now it seems to work! I only did it for the webengine backend. If I were to write a pull request, would you prefer I also implemented it for webkit?

[The-Compiler]

Why would it need to be a dict? Sounds easier to just make it a set of URLs. As for QtWebKit, you'll probably need to adjust that code as well so it keeps working at all, as TabData is the same IIRC.