manifest.json can't be retrieved via referrer from behind http auth, even if user is auth'd

1,763 views
Skip to first unread message

Robert Rees

unread,
May 11, 2017, 2:46:06 AM5/11/17
to Chromium-discuss
I have a staging server that uses basic HTTP authentication to restrict access.  After a user gives their credentials, they are able to access the site just fine with the exception of the site's manifest.json - it appears that Chrome is not passing the credentials for the domain along with the referrer request for the manifest, which then causes a 401.  You can, however, hit the file directly just fine.

I haven't been able to find much information on the subject, though I'm curious if this behavior is intentional.

To replicate, set up a server with basic HTTP auth.  Create a manifest.json as well as a basic html file that links to said manifest.  Try to hit the page, get the login prompt, and fill in your credentials.  When you successfully load the page, check your console and notice that you get a 401 for the manifest.  Then try to hit the file directly and notice that it loads.

I've validated this with both Windows 10 and Linux (not sure the specific version at play - simply had a coworker test for me).

PhistucK

unread,
May 11, 2017, 3:34:00 AM5/11/17
to gh0stp...@gmail.com, Chromium-discuss
You can search crbug.com for an existing issue and star it. If you cannot find one, file a new issue using the "New issue" link on the same page.
Please, do not add a "+1" or "Me too" or "Confirmed" (or similar) comment. It just wastes the time of Chrome engineers and sends unnecessary e-mails to all of the people who starred the issue.

You can reply with a link to the found or created issue and might get triaged (and fixed) faster.

Thank you.



PhistucK

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
You received this message because you are subscribed to the Google Groups "Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discuss+unsubscribe@chromium.org.

Dominick

unread,
May 21, 2017, 10:57:59 PM5/21/17
to Chromium-discuss
Hi Robert,

You need to add crossOrigin="use-credentials" to allow the manifest fetch to use the previous authentication.

R. J. Lewis

unread,
Nov 8, 2018, 2:03:39 AM11/8/18
to Chromium-discuss
Dominick... I can't _thank you_ enough!

J.s.

unread,
Feb 6, 2019, 1:32:56 PM2/6/19
to Chromium-discuss
Thank you, that solved my issue.
Reply all
Reply to author
Forward
0 new messages