Skip to main content

Bug Tracker

Side navigation

#14036 closed bug (fixed)

Opened June 17, 2013 09:51PM UTC

Closed November 14, 2013 03:54AM UTC

ajaxLocation Includes HTTP Basic Authentication Info

Reported by: paulie4 Owned by:
Priority: low Milestone: 1.11/2.1
Component: ajax Version: 1.10.1
Keywords: Cc:
Blocked by: Blocking:
Description

On some browsers, like Google Chrome, location.href includes the HTTP Basic Authentication that was typed into the location bar. This makes s.crossDomain become true when an AJAX request is made to the same domain, since this line in ajax.js

parts = rurl.exec( s.url.toLowerCase() );

makes the code think the username is the domain. I'm not totally sure if this is the best way to do it, but I think this line:

ajaxLocation = location.href;

should change to this:

ajaxLocation = location.protocol+'//'+location.host+':'+location.port;
Attachments (0)
Change History (4)

Changed June 18, 2013 02:53AM UTC by paulie4 comment:1

Sorry, according to Mozilla's docs (https://developer.mozilla.org/en-US/docs/Web/API/window.location?redirectlocale=en-US&redirectslug=DOM%2Fwindow.location), location.host already has the port info, so the new code should just be like this:

ajaxLocation = location.protocol+'//'+location.host;

Changed June 23, 2013 04:02PM UTC by dmethvin comment:2

component: unfiledajax
milestone: None1.11/2.1
priority: undecidedlow
status: newopen

Changed August 24, 2013 04:35PM UTC by njhamann comment:3

I ran into this issue yesterday and wanted to offer a patch. I will have a PR in by the end of the weekend.

You can clearly see the issue by visiting http://username:password@example.com/ in chrome. Then run

location.href

The response will include username:password@

Changed November 14, 2013 03:54AM UTC by njhamann comment:4

resolution: → fixed
status: openclosed

Fix #14036. Remove user/pass from ajaxLocation. Close gh-1340.

Changeset: 0d68b7877f761264bfe4950e4df156b854925a6b