Bug Tracker

Ticket #14036 (closed bug: fixed)

Opened 18 months ago

Last modified 13 months ago

ajaxLocation Includes HTTP Basic Authentication Info

Reported by: paulie4 Owned by:
Priority: low Milestone: 1.11/2.1
Component: ajax Version: 1.10.1
Keywords: Cc:
Blocking: Blocked by:

Description

On some browsers, like Google Chrome, location.href includes the HTTP Basic Authentication that was typed into the location bar. This makes s.crossDomain become true when an AJAX request is made to the same domain, since this line in ajax.js

parts = rurl.exec( s.url.toLowerCase() );

makes the code think the username is the domain. I'm not totally sure if this is the best way to do it, but I think this line:

ajaxLocation = location.href;

should change to this:

ajaxLocation = location.protocol+'//'+location.host+':'+location.port;

Change History

comment:1 Changed 18 months ago by paulie4

Sorry, according to Mozilla's docs ( https://developer.mozilla.org/en-US/docs/Web/API/window.location?redirectlocale=en-US&redirectslug=DOM%2Fwindow.location), location.host already has the port info, so the new code should just be like this:

ajaxLocation = location.protocol+'//'+location.host;

comment:2 Changed 18 months ago by dmethvin

  • Priority changed from undecided to low
  • Status changed from new to open
  • Component changed from unfiled to ajax
  • Milestone changed from None to 1.11/2.1

comment:3 Changed 16 months ago by njhamann

I ran into this issue yesterday and wanted to offer a patch. I will have a PR in by the end of the weekend.

You can clearly see the issue by visiting  http://username:password@example.com/ in chrome. Then run

location.href

The response will include username:password@

comment:4 Changed 13 months ago by njhamann

  • Status changed from open to closed
  • Resolution set to fixed

Fix #14036. Remove user/pass from ajaxLocation. Close gh-1340.

Changeset: 0d68b7877f761264bfe4950e4df156b854925a6b

Note: See TracTickets for help on using tickets.