search

whatwg / fetch

Fetch Standard
https://fetch.spec.whatwg.org/
Other
2.11k stars 330 forks source link

Authorisation header not sent for POST requests #628

Open chrismatheson opened 7 years ago

chrismatheson commented 7 years ago

Possibly I'm still not completely understanding all the ins and outs of browser security, but i think what I'm trying to achieve is relatively simple.

I have a page served 100% over HTTPS, I'm using basic auth, with the username & password being held by the browser and (should) be sent with every request from there onwards.

I have added the credentials: 'same-origin' to the fetch function call and for GET requests its included. but the same code path with a POST request does not include the header in the request.

fetch("/center/57023368c4d6931600216494", {headers: {"Content-Type": "application/json", Accept: "application/json"}, credentials: "same-origin", method: "GET"})

fetch("/users/find", {headers: {"Content-Type": "application/json", Accept: "application/json"}, credentials: "same-origin", method: "POST", body: "{\"center\":\"US testing\"}"})

I don't think this is a CORS issue since everything is talking to the same domain. Ive tried expanding to credentials: 'include' but no difference. And I've seen the problem in both Safari & Chrome.

There seems to be little or no feedback so I'm really stuck as to weather this is a spec / implementation issue or a browser issue or a "your not using the code correctly" issue, any help appreciated

annevk commented 7 years ago

It does not happen in Firefox?

Anything else special in your setup or can you indeed reproduce with just the bits stated in OP? If that's it, I'd file a bug against Chrome and Safari.

chrismatheson commented 7 years ago

@annevk in firefox the header is sent as expected :) Im reasonably sure this is a browser difference thing, i was filing here because I'm not sure of the specs desired behaviour for what I'm trying to do, so not sure if its a bug in the browser or possibly just behaviour not covered by the spec?

annevk commented 7 years ago

It's a bug. I recommend filing at https://crbug.com/new and https://bugs.webkit.org/enter_bug.cgi?product=WebKit&component=HTML%20DOM. I'm not sure to what extent we cover HTTP authentication in the test suite. It might be worth keeping this open until we have decent test coverage there. If you're interested in working on that let me know.

chrismatheson commented 6 years ago

Bugs filed : https://bugs.chromium.org/p/chromium/issues/detail?id=782621 https://bugs.webkit.org/show_bug.cgi?id=179422

@annevk did you mean working on the test coverage or the fix ? :)

annevk commented 6 years ago

I meant test coverage. I don't have any sway over Chromium or WebKit. To the extent we have any test coverage it will be in the XMLHttpRequest/, fetch/, and cors/ directories of https://github.com/w3c/web-platform-tests.