29543 – No Method For Handling an HTTP 401 Response Indicated

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 29543 - No Method For Handling an HTTP 401 Response Indicated

Summary: No Method For Handling an HTTP 401 Response Indicated

Status:	NEW

Alias:	None

Product:	Browser Test/Tools WG
Classification:	Unclassified
Component:	WebDriver (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P2 normal
Target Milestone:	---
Assignee:	Browser Testing and Tools WG
QA Contact:	Browser Testing and Tools WG

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	24121
	Show dependency tree / graph

Reported:	2016-03-26 18:01 UTC by Alexis Johnson
Modified:	2016-09-19 16:42 UTC (History)
CC List:	3 users (show)

See Also:

Attachments

Description Alexis Johnson 2016-03-26 18:01:06 UTC

The Get method specified in section 7.1 acknowledges the possibility of receiving an HTTP 401 authentication challenge during the process of a requesting a domain. However, there is no specification for how to specify these credentials.

Currently the only method afforded by the JSON Wire Protocol for handling a potential HTTP 401 is to provide the credentials as URL encoded strings as part of the URL (https://user:password@domain.tld/). If no credentials are specified, the Get will fail unless the session load strategy is none.

The URL based method of authentication is inconsistently handled by various browsers:
* Firefox will load the URL, add those credentials to the request, and then strip those credentials from its internally stored credentials
* Chrome will load the URL, add those credentials to the request, and leave the URL as provided
* Safari will display a Warning page indicating that the URL provided appears to be a phishing URL

The other primary user action for interacting with an HTTP 401 response is not afforded: Sending credentials to a generated alert. A method for handling this is afforded in Selenium Webdriver:  an "authenticate" method is provided in selenium.webdriver.common.alert.Alert; This method attempts to submit a POST request to "/session/$sessionId/alert/credentials", with a payload of the username and password. Despite this, there is no specification for this end piont in the original prescription for the JSON Wire Protocol (https://github.com/SeleniumHQ/selenium/wiki/JsonWireProtocol), nor does there appear to be an equivalent affording of this functionality in this specification.

As a user of sites that utilize Basic Auth for authentication, I have almost never specified my credentials as part of the URL. In part, because it means displaying those credentials in plain text on my screen, while also not always knowing if I am still authenticated with a site.

Especially with services such as Sauce Labs providing video of test runs that I want to share within my org, I would like to be able to specify these credentials in a way that will not be recorded when viewing the browser.

Authenticate method in Selenium Webdriver: https://seleniumhq.github.io/selenium/docs/api/py/webdriver/selenium.webdriver.common.alert.html?highlight=alert#selenium.webdriver.common.alert.Alert.authenticate

Direct implementation of the set credentials JSON wire protocol call: https://seleniumhq.github.io/selenium/docs/api/py/_modules/selenium/webdriver/remote/remote_connection.html#RemoteConnection.execute

Above link includes the following lines:
            Command.SET_ALERT_CREDENTIALS:
                ('POST', '/session/$sessionId/alert/credentials'),