Side navigation
#14036 closed bug (fixed)
Opened June 17, 2013 09:51PM UTC
Closed November 14, 2013 03:54AM UTC
ajaxLocation Includes HTTP Basic Authentication Info
Reported by: | paulie4 | Owned by: | |
---|---|---|---|
Priority: | low | Milestone: | 1.11/2.1 |
Component: | ajax | Version: | 1.10.1 |
Keywords: | Cc: | ||
Blocked by: | Blocking: |
Description
On some browsers, like Google Chrome, location.href includes the HTTP Basic Authentication that was typed into the location bar. This makes s.crossDomain become true when an AJAX request is made to the same domain, since this line in ajax.js
parts = rurl.exec( s.url.toLowerCase() );
makes the code think the username is the domain. I'm not totally sure if this is the best way to do it, but I think this line:
ajaxLocation = location.href;
should change to this:
ajaxLocation = location.protocol+'//'+location.host+':'+location.port;
Attachments (0)
Change History (4)
Changed June 18, 2013 02:53AM UTC by comment:1
Changed June 23, 2013 04:02PM UTC by comment:2
component: | unfiled → ajax |
---|---|
milestone: | None → 1.11/2.1 |
priority: | undecided → low |
status: | new → open |
Changed August 24, 2013 04:35PM UTC by comment:3
I ran into this issue yesterday and wanted to offer a patch. I will have a PR in by the end of the weekend.
You can clearly see the issue by visiting http://username:password@example.com/ in chrome. Then run
location.href
The response will include username:password@
Sorry, according to Mozilla's docs (https://developer.mozilla.org/en-US/docs/Web/API/window.location?redirectlocale=en-US&redirectslug=DOM%2Fwindow.location), location.host already has the port info, so the new code should just be like this: