Bug Tracker

Ticket #14036 (closed bug: fixed)

Opened 2 years ago

Last modified 2 years ago

ajaxLocation Includes HTTP Basic Authentication Info

Reported by: paulie4 Owned by:
Priority: low Milestone: 1.11/2.1
Component: ajax Version: 1.10.1
Keywords: Cc:
Blocking: Blocked by:


On some browsers, like Google Chrome, location.href includes the HTTP Basic Authentication that was typed into the location bar. This makes s.crossDomain become true when an AJAX request is made to the same domain, since this line in ajax.js

parts = rurl.exec( s.url.toLowerCase() );

makes the code think the username is the domain. I'm not totally sure if this is the best way to do it, but I think this line:

ajaxLocation = location.href;

should change to this:

ajaxLocation = location.protocol+'//'+location.host+':'+location.port;

Change History

comment:1 Changed 2 years ago by paulie4

Sorry, according to Mozilla's docs ( https://developer.mozilla.org/en-US/docs/Web/API/window.location?redirectlocale=en-US&redirectslug=DOM%2Fwindow.location), location.host already has the port info, so the new code should just be like this:

ajaxLocation = location.protocol+'//'+location.host;

comment:2 Changed 2 years ago by dmethvin

  • Priority changed from undecided to low
  • Status changed from new to open
  • Component changed from unfiled to ajax
  • Milestone changed from None to 1.11/2.1

comment:3 Changed 2 years ago by njhamann

I ran into this issue yesterday and wanted to offer a patch. I will have a PR in by the end of the weekend.

You can clearly see the issue by visiting  http://username:password@example.com/ in chrome. Then run


The response will include username:password@

comment:4 Changed 2 years ago by njhamann

  • Status changed from open to closed
  • Resolution set to fixed

Fix #14036. Remove user/pass from ajaxLocation. Close gh-1340.

Changeset: 0d68b7877f761264bfe4950e4df156b854925a6b

Note: See TracTickets for help on using tickets.