Bug Tracker

Modify

Ticket #14036 (closed bug: fixed)

Opened 10 months ago

Last modified 5 months ago

ajaxLocation Includes HTTP Basic Authentication Info

Reported by: paulie4 Owned by:
Priority: low Milestone: 1.11/2.1
Component: ajax Version: 1.10.1
Keywords: Cc:
Blocking: Blocked by:

Description

On some browsers, like Google Chrome, location.href includes the HTTP Basic Authentication that was typed into the location bar. This makes s.crossDomain become true when an AJAX request is made to the same domain, since this line in ajax.js

parts = rurl.exec( s.url.toLowerCase() );

makes the code think the username is the domain. I'm not totally sure if this is the best way to do it, but I think this line:

ajaxLocation = location.href;

should change to this:

ajaxLocation = location.protocol+'//'+location.host+':'+location.port;

Change History

comment:1 Changed 10 months ago by paulie4

Sorry, according to Mozilla's docs ( https://developer.mozilla.org/en-US/docs/Web/API/window.location?redirectlocale=en-US&redirectslug=DOM%2Fwindow.location), location.host already has the port info, so the new code should just be like this:

ajaxLocation = location.protocol+'//'+location.host;

comment:2 Changed 10 months ago by dmethvin

  • Priority changed from undecided to low
  • Status changed from new to open
  • Component changed from unfiled to ajax
  • Milestone changed from None to 1.11/2.1

comment:3 Changed 8 months ago by njhamann

I ran into this issue yesterday and wanted to offer a patch. I will have a PR in by the end of the weekend.

You can clearly see the issue by visiting  http://username:password@example.com/ in chrome. Then run

location.href

The response will include username:password@

comment:4 Changed 5 months ago by njhamann

  • Status changed from open to closed
  • Resolution set to fixed

Fix #14036. Remove user/pass from ajaxLocation. Close gh-1340.

Changeset: 0d68b7877f761264bfe4950e4df156b854925a6b

Please follow the  bug reporting guidlines and use  jsFiddle when providing test cases and demonstrations instead of pasting the code in the ticket.

View

Add a comment

Modify Ticket

Action
as closed
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.