WebSocket: "HTTP authentication will not function" is not correct #565
Comments
|
Filed https://bugzilla.mozilla.org/show_bug.cgi?id=1380973 to remove the prompting in Firefox. |
|
@ricea do you wait for a challenge or just send credentials if you have them? |
|
Also, are there tests for this? |
|
As far as I know, Chrome always sends credentials in the initial request if it has them, but from the limited testing I've done it appears that Firefox doesn't. In Chrome we share the logic with ordinary HTTP. There don't appear to be any web-platform-tests testing this. We have Chrome-specific tests, but not of a sort that could be straightforwardly ported. |
|
I can't actually find any normative text that prohibits HTTP authentication. I will create a PR to remove the text that says it doesn't. |
Remove the warning that HTTP authentication is prohibited for WebSockets. See whatwg#565 for background.
|
Simple wpt at web-platform-tests/wpt#11433. |
Without the 401 that could in theory be sending auth for the wrong realm. |
|
@dveditz wrote:
Thanks for the clarification! If I catch Chrome doing the wrong thing I will file a bug. |
https://fetch.spec.whatwg.org/commit-snapshots/f3bb21991abdd335175fcc5d26a0d0b7b380d4fe/#websocket-opening-handshake
Actually HTTP authentication functions with WebSockets in Chrome, Firefox, IE, and Edge. It doesn't work in Safari, but that's a bug: https://bugs.webkit.org/show_bug.cgi?id=80362
Firefox will also give you a password prompt if it gets a 401 response on a WebSocket. Chrome and Edge will only use cached credentials. In Chrome's case, this is the policy for all subresources, rather than being a WebSocket-specific restriction.
The text was updated successfully, but these errors were encountered: