[Bug 29543] New: No Method For Handling an HTTP 401 Response Indicated from bugzilla@jessica.w3.org on 2016-03-26 (public-browser-tools-testing@w3.org from January to March 2016)

From: <bugzilla@jessica.w3.org>
Date: Sat, 26 Mar 2016 18:01:06 +0000
To: public-browser-tools-testing@w3.org
Message-ID: <bug-29543-5015@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=29543

            Bug ID: 29543
           Summary: No Method For Handling an HTTP 401 Response Indicated
           Product: Browser Test/Tools WG
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: WebDriver
          Assignee: public-browser-tools-testing@w3.org
          Reporter: lexrj@indeed.com
        QA Contact: public-browser-tools-testing@w3.org
                CC: mike@w3.org
            Blocks: 20860
  Target Milestone: ---

The Get method specified in section 7.1 acknowledges the possibility of
receiving an HTTP 401 authentication challenge during the process of a
requesting a domain. However, there is no specification for how to specify
these credentials.

Currently the only method afforded by the JSON Wire Protocol for handling a
potential HTTP 401 is to provide the credentials as URL encoded strings as part
of the URL (https://user:password@domain.tld/). If no credentials are
specified, the Get will fail unless the session load strategy is none.

The URL based method of authentication is inconsistently handled by various
browsers:
* Firefox will load the URL, add those credentials to the request, and then
strip those credentials from its internally stored credentials
* Chrome will load the URL, add those credentials to the request, and leave the
URL as provided
* Safari will display a Warning page indicating that the URL provided appears
to be a phishing URL

The other primary user action for interacting with an HTTP 401 response is not
afforded: Sending credentials to a generated alert. A method for handling this
is afforded in Selenium Webdriver:  an "authenticate" method is provided in
selenium.webdriver.common.alert.Alert; This method attempts to submit a POST
request to "/session/$sessionId/alert/credentials", with a payload of the
username and password. Despite this, there is no specification for this end
piont in the original prescription for the JSON Wire Protocol
(https://github.com/SeleniumHQ/selenium/wiki/JsonWireProtocol), nor does there
appear to be an equivalent affording of this functionality in this
specification.

As a user of sites that utilize Basic Auth for authentication, I have almost
never specified my credentials as part of the URL. In part, because it means
displaying those credentials in plain text on my screen, while also not always
knowing if I am still authenticated with a site.

Especially with services such as Sauce Labs providing video of test runs that I
want to share within my org, I would like to be able to specify these
credentials in a way that will not be recorded when viewing the browser.

Authenticate method in Selenium Webdriver:
https://seleniumhq.github.io/selenium/docs/api/py/webdriver/selenium.webdriver.common.alert.html?highlight=alert#selenium.webdriver.common.alert.Alert.authenticate

Direct implementation of the set credentials JSON wire protocol call:
https://seleniumhq.github.io/selenium/docs/api/py/_modules/selenium/webdriver/remote/remote_connection.html#RemoteConnection.execute

Above link includes the following lines:
            Command.SET_ALERT_CREDENTIALS:
                ('POST', '/session/$sessionId/alert/credentials'),


Referenced Bugs:

https://www.w3.org/Bugs/Public/show_bug.cgi?id=20860
[Bug 20860] WebDriver Level 1
-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Saturday, 26 March 2016 18:01:08 UTC