[chromium-discuss] manifest.json can't be retrieved via referrer from behind http auth, even if user is auth'd

Discussion:

Robert Rees

2017-05-10 15:45:41 UTC

I have a staging server that uses basic HTTP authentication to restrict
access. After a user gives their credentials, they are able to access the
site just fine with the exception of the site's manifest.json - it appears
that Chrome is not passing the credentials for the domain along with the
referrer request for the manifest, which then causes a 401. You can,
however, hit the file directly just fine.

I haven't been able to find much information on the subject, though I'm
curious if this behavior is intentional.

To replicate, set up a server with basic HTTP auth. Create a manifest.json
as well as a basic html file that links to said manifest. Try to hit the
page, get the login prompt, and fill in your credentials. When you
successfully load the page, check your console and notice that you get a
401 for the manifest. Then try to hit the file directly and notice that it
loads.

I've validated this with both Windows 10 and Linux (not sure the specific
version at play - simply had a coworker test for me).

--
--
Chromium Discussion mailing list: chromium-***@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
You received this message because you are subscribed to the Google Groups "Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discuss+***@chromium.org.

PhistucK

2017-05-11 07:33:06 UTC

Permalink

You can search crbug.com for an existing issue and star it. If you cannot
find one, file a new issue using the "New issue" link on the same page.
Please, do not add a "+1" or "Me too" or "Confirmed" (or similar) comment.
It just wastes the time of Chrome engineers and sends unnecessary e-mails
to all of the people who starred the issue.

You can reply with a link to the found or created issue and might get
triaged (and fixed) faster.

Thank you.

â*PhistucK*

Post by Robert Rees
I have a staging server that uses basic HTTP authentication to restrict
access. After a user gives their credentials, they are able to access the
site just fine with the exception of the site's manifest.json - it appears
that Chrome is not passing the credentials for the domain along with the
referrer request for the manifest, which then causes a 401. You can,
however, hit the file directly just fine.
I haven't been able to find much information on the subject, though I'm
curious if this behavior is intentional.
To replicate, set up a server with basic HTTP auth. Create a
manifest.json as well as a basic html file that links to said manifest.
Try to hit the page, get the login prompt, and fill in your credentials.
When you successfully load the page, check your console and notice that you
get a 401 for the manifest. Then try to hit the file directly and notice
that it loads.
I've validated this with both Windows 10 and Linux (not sure the specific
version at play - simply had a coworker test for me).
--
--
http://groups.google.com/a/chromium.org/group/chromium-discuss
---
You received this message because you are subscribed to the Google Groups
"Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an

Dominick

2017-05-22 02:57:59 UTC

Permalink

Hi Robert,

You need to add crossOrigin="use-credentials" to allow the manifest fetch
to use the previous authentication.

R. J. Lewis

2018-11-07 17:23:53 UTC

Permalink

Dominick... I can't _thank you_ enough!

Post by Dominick
Hi Robert,
You need to add crossOrigin="use-credentials" to allow the manifest fetch
to use the previous authentication.