Wednesday, February 7, 2007

Problem with Firebug and HTTP Authentication in XMLHttpRequests

We've been trying for a while to figure out the best way to authenticate XMLHttpRequest calls to the Cosmo Management Protocol in the Cosmo web ui. The solution we're using for 0.6 is to manually insert the "Authorization" header with the correct value, a base 64 encoded version of the string "username:password". This works like a charm, except for one thing: to put the username and password into this header, we need to persist the username and password on the client side.

We've come up with a couple approaches, all of them relying at some level on keeping a username and password in a cookie. Unfortunately, all of them are vulnerable to cross site scripting hacks. Worse, this kind of hack would give an interloper the user's password.

Fortunately, it looks like there is a better option. Paul James has demonstrated a way to use HTTP authentication from Javascript without relying on the browser affordances, and Berend de Boer has wrapped up many of the details.

The first time I tested Paul's solution, however, it didn't work. Safari seemed to perform exactly as expected, but Firefox was a no-go.

To make a long story short, it turns out this is actually a bug in Firebug. In order to do the slick XMLHttpRequest monitoring Firebug provides, it wraps calls to Unfortunately, it doesn't know about the username and password parameters that can be passed to open(), so having Firebug installed means you can't pass these parameters along.

I've filed a bug with a patch that should do the trick, so hopefully this will be resolved soon.

No comments: