Opened 10 years ago
Closed 10 years ago
#14036 closed bug (fixed)
ajaxLocation Includes HTTP Basic Authentication Info
| Reported by: | paulie4 | Owned by: | |
|---|---|---|---|
| Priority: | low | Milestone: | 1.11/2.1 |
| Component: | ajax | Version: | 1.10.1 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
On some browsers, like Google Chrome, location.href includes the HTTP Basic Authentication that was typed into the location bar. This makes s.crossDomain become true when an AJAX request is made to the same domain, since this line in ajax.js
parts = rurl.exec( s.url.toLowerCase() );
makes the code think the username is the domain. I'm not totally sure if this is the best way to do it, but I think this line:
ajaxLocation = location.href;
should change to this:
ajaxLocation = location.protocol+'//'+location.host+':'+location.port;
Change History (4)
comment:1 Changed 10 years ago by
comment:2 Changed 10 years ago by
| Component: | unfiled → ajax |
|---|---|
| Milestone: | None → 1.11/2.1 |
| Priority: | undecided → low |
| Status: | new → open |
comment:3 Changed 10 years ago by
I ran into this issue yesterday and wanted to offer a patch. I will have a PR in by the end of the weekend.
You can clearly see the issue by visiting http://username:password@example.com/ in chrome. Then run
location.href
The response will include username:password@
comment:4 Changed 10 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | open → closed |
Fix #14036. Remove user/pass from ajaxLocation. Close gh-1340.
Changeset: 0d68b7877f761264bfe4950e4df156b854925a6b
Sorry, according to Mozilla's docs (https://developer.mozilla.org/en-US/docs/Web/API/window.location?redirectlocale=en-US&redirectslug=DOM%2Fwindow.location), location.host already has the port info, so the new code should just be like this: