W3C home > Mailing lists > Public > public-web-perf@w3.org > January 2015

Resource Timing "name" capturing basic auth credentials for XHR requests.

From: Nick Niemeir <nniemeir@newrelic.com>
Date: Fri, 23 Jan 2015 17:18:44 -0800
Message-ID: <CANEpQ8a0Onhthur7hc_uxhJKdh5xa9HWX9GP9+91Y=K032dsXQ@mail.gmail.com>
To: public-web-perf@w3.org
For a quick example go to https://httpbin.org/ and try this out in the
console:

```
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://foo:bar@httpbin.org/basic-auth/foo/bar');
xhr.send();
setTimeout(function () { alert('Your password is: ' +

performance.getEntriesByType('resource').pop().name.split('@')[0].split(':').pop()
)}, 500);
```

Using basic auth may not be a great idea, but people still do,
inadvertently exposing passwords to other javascript on their pages.
Received on Monday, 26 January 2015 13:23:55 UTC

This archive was generated by hypermail 2.3.1 : Monday, 26 January 2015 13:23:56 UTC