Bug Tracker

Opened 10 years ago

Closed 10 years ago

#14036 closed bug (fixed)

ajaxLocation Includes HTTP Basic Authentication Info

Reported by: paulie4 Owned by:
Priority: low Milestone: 1.11/2.1
Component: ajax Version: 1.10.1
Keywords: Cc:
Blocked by: Blocking:

Description

On some browsers, like Google Chrome, location.href includes the HTTP Basic Authentication that was typed into the location bar. This makes s.crossDomain become true when an AJAX request is made to the same domain, since this line in ajax.js

parts = rurl.exec( s.url.toLowerCase() );

makes the code think the username is the domain. I'm not totally sure if this is the best way to do it, but I think this line:

ajaxLocation = location.href;

should change to this:

ajaxLocation = location.protocol+'//'+location.host+':'+location.port;

Change History (4)

comment:1 Changed 10 years ago by paulie4

Sorry, according to Mozilla's docs (https://developer.mozilla.org/en-US/docs/Web/API/window.location?redirectlocale=en-US&redirectslug=DOM%2Fwindow.location), location.host already has the port info, so the new code should just be like this:

ajaxLocation = location.protocol+'//'+location.host;

comment:2 Changed 10 years ago by dmethvin

Component: unfiledajax
Milestone: None1.11/2.1
Priority: undecidedlow
Status: newopen

comment:3 Changed 10 years ago by njhamann

I ran into this issue yesterday and wanted to offer a patch. I will have a PR in by the end of the weekend.

You can clearly see the issue by visiting http://username:password@example.com/ in chrome. Then run

location.href

The response will include username:password@

comment:4 Changed 10 years ago by njhamann

Resolution: fixed
Status: openclosed

Fix #14036. Remove user/pass from ajaxLocation. Close gh-1340.

Changeset: 0d68b7877f761264bfe4950e4df156b854925a6b

Note: See TracTickets for help on using tickets.