Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-09-27 23:30:08 +01:00
Code Issues Projects Releases Packages Wiki Activity

net: Don't prompt for credentials when 401 response has no WWW-Authenticate header (#39215)

Browse source 
Testing: Includes a new unit test
Fixes: https://github.com/servo/servo/issues/39214

---------

Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
This commit is contained in:
Simon Wülker 2025-09-09 02:56:49 +02:00 committed by GitHub
parent d469e5e564
commit eec56acd12
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 74 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

10
components/net/http_loader.rs
View file

@ -27,7 +27,7 @@ use headers::{
};
use http::header::{
self, ACCEPT, ACCESS_CONTROL_REQUEST_HEADERS, AUTHORIZATION, CONTENT_ENCODING,
CONTENT_LANGUAGE, CONTENT_LOCATION, CONTENT_TYPE, HeaderValue, RANGE,
CONTENT_LANGUAGE, CONTENT_LOCATION, CONTENT_TYPE, HeaderValue, RANGE, WWW_AUTHENTICATE,
};
use http::{HeaderMap, Method, Request as HyperRequest, StatusCode};
use http_body_util::combinators::BoxBody;
@ -1719,8 +1719,12 @@ async fn http_network_or_cache_fetch(
// Step 14. If responses status is 401, httpRequests response tainting is not "cors",
// includeCredentials is true, and requests window is an environment settings object, then:
// TODO(#33616): Figure out what to do with request window objects
if let (Some(StatusCode::UNAUTHORIZED), false, true) =
(response.status.try_code(), cors_flag, include_credentials)
// NOTE: Requiring a WWW-Authenticate header here is ad-hoc, but seems to match what other browsers are
// doing. See Step 14.1.
if response.status.try_code() == Some(StatusCode::UNAUTHORIZED) &&
!cors_flag &&
include_credentials &&
response.headers.contains_key(WWW_AUTHENTICATE)
{
// TODO: Step 14.1 Spec says requires testing on multiple WWW-Authenticate headers