Created
March 17, 2011 18:27
-
-
Save tuupola/874847 to your computer and use it in GitHub Desktop.
Safari Authorization header broken after 302 redirect
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Run the app (ruby app.rb or shotgun app.rb) | |
# | |
# Open the page. Login with test and test. Reload a few times. Page loads fine. Then | |
# click the link which make 302 redirect back to original page. Now when you reload it asks for | |
# username and password again. If you check the logs you can see credentials are now broken. | |
# Also tcpdump shows Authorization header is broken. | |
# | |
# Tested with Safari 5.0.4 (6533.20.27), Safari 5.0.3 (6533.19.4) | |
# Webkit Nightly 5.0.3 (6533.19.4, r80833) | |
require "rubygems" | |
require "sinatra" | |
require "pp" | |
before do | |
require_login! | |
end | |
get "/" do | |
redirect "/foos" | |
end | |
get "/foos" do | |
haml :foos | |
end | |
get "/foos/:id" do | |
redirect "/foos" | |
end | |
def require_login! | |
unless authorized? | |
response["WWW-Authenticate"] = %(Basic realm="Protected") | |
throw(:halt, [401, "Not authorized\n"]) | |
end | |
end | |
def authorized? | |
@auth ||= Rack::Auth::Basic::Request.new(request.env) | |
if @auth.provided? | |
pp @auth.credentials | |
else | |
pp "Not provided." | |
end | |
@auth.provided? && @auth.basic? && @auth.credentials && @auth.credentials == ["test", "test"] | |
end | |
__END__ | |
@@ layout | |
%html | |
= yield | |
@@ foos | |
%a{:href => "/foos/666"} Make a GET request which redirects back to this page. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
== Shotgun/Mongrel on http://127.0.0.1:9393/ | |
"Not provided." | |
127.0.0.1 - - [19/Mar/2011 22:08:27] "GET / HTTP/1.1" 401 15 0.0091 | |
["test", "test"] | |
127.0.0.1 - - [19/Mar/2011 22:08:33] "GET / HTTP/1.1" 302 - 0.0083 | |
"Not provided." | |
127.0.0.1 - - [19/Mar/2011 22:08:33] "GET /foos HTTP/1.1" 401 15 0.0081 | |
["test", "test"] | |
127.0.0.1 - - [19/Mar/2011 22:08:35] "GET /foos HTTP/1.1" 200 95 0.2404 | |
["test", "test"] | |
127.0.0.1 - - [19/Mar/2011 22:08:36] "GET /foos/666 HTTP/1.1" 302 - 0.0085 | |
["test", "test"] | |
127.0.0.1 - - [19/Mar/2011 22:08:36] "GET /foos HTTP/1.1" 200 95 0.2387 | |
["test", "test\005\253\"q\321\225\315\320\351\321\225\315"] | |
127.0.0.1 - - [19/Mar/2011 22:08:37] "GET /foos HTTP/1.1" 401 15 0.0082 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
> sudo tcpdump -s 0 -A -ni lo0 port 4567 | |
** Login for the first time ** | |
GET /foos HTTP/1.1 | |
Host: 192.168.1.67:4567 | |
Accept-Encoding: gzip, deflate | |
Accept-Language: en-us | |
Authorization: Basic dGVzdDp0ZXN0 | |
Cache-Control: max-age=0 | |
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-us) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4 | |
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 | |
Referer: http://192.168.1.67:4567/foos | |
Connection: keep-alive | |
** Click a link which redirect back to same page ** | |
GET /foos/666 HTTP/1.1 | |
Host: 192.168.1.67:4567 | |
Authorization: Basic dGVzdDp0ZXN0 | |
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-us) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4 | |
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 | |
Referer: http://192.168.1.67:4567/foos | |
Accept-Language: en-us | |
Accept-Encoding: gzip, deflate | |
Connection: keep-alive | |
HTTP/1.1 302 Moved Temporarily | |
Location: http://192.168.1.67:4567/foos | |
Content-Type: text/html;charset=utf-8 | |
Content-Length: 0 | |
Connection: keep-alive | |
Server: thin 1.2.7 codename No Hup | |
GET /foos HTTP/1.1 | |
Host: 192.168.1.67:4567 | |
Accept-Encoding: gzip, deflate | |
Accept-Language: en-us | |
Authorization: Basic dGVzdDp0ZXN0 | |
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-us) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4 | |
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 | |
Referer: http://192.168.1.67:4567/foos | |
Connection: keep-alive | |
** Click reload and authorization header in request is broken. ** | |
GET /foos HTTP/1.1 | |
Host: 192.168.1.67:4567 | |
Accept-Encoding: gzip, deflate | |
Accept-Language: en-us | |
Authorization: Basic dGVzdDp0ZXN0,Basic dGVzdDp0ZXN0 | |
Cache-Control: max-age=0 | |
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-us) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4 | |
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 | |
Referer: http://192.168.1.67:4567/foos | |
Connection: keep-alive | |
HTTP/1.1 401 Unauthorized | |
WWW-Authenticate: Basic realm="Protected" | |
Content-Type: text/html;charset=utf-8 | |
Content-Length: 15 | |
Connection: keep-alive | |
Server: thin 1.2.7 codename No Hup |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
>> Thin web server (v1.2.7 codename No Hup) | |
>> Maximum connections set to 1024 | |
>> Listening on 0.0.0.0:4567, CTRL+C to stop | |
"Not provided." | |
192.168.1.67 - - [19/Mar/2011 22:06:36] "GET /foos HTTP/1.1" 401 15 0.0006 | |
["test", "test"] | |
192.168.1.67 - - [19/Mar/2011 22:06:40] "GET /foos HTTP/1.1" 200 95 0.0023 | |
["test", "test"] | |
192.168.1.67 - - [19/Mar/2011 22:06:42] "GET /foos/666 HTTP/1.1" 302 - 0.0008 | |
["test", "test"] | |
192.168.1.67 - - [19/Mar/2011 22:06:42] "GET /foos HTTP/1.1" 200 95 0.0023 | |
["test", "test\005\253\"q\321\225\315\320\351\321\225\315"] | |
192.168.1.67 - - [19/Mar/2011 22:06:43] "GET /foos HTTP/1.1" 401 15 0.0009 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment