New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fetch Standard change: Authorization removed upon cross-origin redirects #22533
Comments
Per https://wpt.fyi/results/fetch/api/credentials/authentication-redirection.any.html, WebKit already conforms with this spec change — but Blink and Gecko do not yet. We may want to wait on documenting this until we have at least one other conforming implemention. |
This is related to https://bugzilla.mozilla.org/show_bug.cgi?id=1802086. |
Trying to work out what this "means" to users/documentation. My understanding is that previously if the So in terms of docs it looks like the place this affects is the So if you set If that's about right we can add a note below |
No, this specifically changes the behavior for when the |
You mean if they call |
When it goes across origins, yes. (Also with |
There isn't any particularly great place for this information.
@annevk The yaml values in https://bugzilla.mozilla.org/show_bug.cgi?id=1802086 indicate FF also strips the header from
|
|
Thanks. I think I've captured all this in #25127. Let's see how the reviews go. |
Where is the best place to ask a question about this new feature? I am experiencing the Authorization header being stripped in Firefox Developer Edition, even though the response is not a cross-origin redirect. This is a request from a SPA using the Axios library to an API on the same subdomain & both using HTTPS. Setting |
@schalkneethling Can you help @rhclayto ? |
@rhclayto While I am not an expert, that sounds like a bug. I would check FF Bugzilla to see if there is anything related. If not, I'd create a bug report with enough info for this to be reproduced and then cross link from https://bugzilla.mozilla.org/show_bug.cgi?id=1802086 |
Pending bcd I'll close as complete 👍 |
Thank you. I did file a bug & this was resolved (problem on my end). This new feature helped me discover a ecurity bug in my own code. |
@rhclayto Can you provide more details about the problrm you had, maybe link the bug you reported? We're hitting the same thing and I'm not quite sure what to look for in fixing this. |
Here is the bugzilla report: https://bugzilla.mozilla.org/show_bug.cgi?id=1821881 It may be of no help to you, since soon after reporting it, I discovered that my front end code was making a request to a plain http endpoint, instead of https, & the server was doing a redirect to https, thus triggering this behavior. A typo on my part. I think an http to https upgrade will count as a redirect & cause Authorization header stripping, with the current Firefox devel implementation of the new spec. I hope you get it all sorted out without too much trouble! |
whatwg/fetch#1544 changes the Fetch Standard to remove a web-developer-set Authorization header upon a cross-origin redirect.
This probably ought to be documented.
The text was updated successfully, but these errors were encountered: