From e7984a77116d47fde150f81f6e18cae6aaa147ad Mon Sep 17 00:00:00 2001 From: Jelle Raaijmakers Date: Tue, 13 Aug 2024 11:47:15 +0200 Subject: [PATCH] LibWeb: Check presence of `WWW-Authenticate` header in fetch response If a HTTP 401 response we get does not contain a `WWW-Authenticate` header, we should not trigger the logic to ask the user for credentials and retry the request. This part is hinted at in a TODO / 'Needs testing' remark in the spec but needs to be fleshed out. Raised an upstream issue to do so: https://github.com/whatwg/fetch/issues/1766 This fixes login forms triggering an infinite fetch loop when providing incorrect credentials. Co-Authored-By: Victor Tran --- Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp b/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp index dfd834fbe0d0..e290ce8659e0 100644 --- a/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp +++ b/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp @@ -1987,7 +1987,10 @@ WebIDL::ExceptionOr> http_network_or_cache_fet if (response->status() == 401 && http_request->response_tainting() != Infrastructure::Request::ResponseTainting::CORS && include_credentials == IncludeCredentials::Yes - && request->window().has>()) { + && request->window().has>() + // AD-HOC: Require at least one WWW-Authenticate header to be set before automatically retrying an authenticated + // request (see rule 1 below). See: https://github.com/whatwg/fetch/issues/1766 + && request->header_list()->contains("WWW-Authenticate"sv.bytes())) { // 1. Needs testing: multiple `WWW-Authenticate` headers, missing, parsing issues. // (Red box in the spec, no-op)