Opened 7 years ago

Closed 7 years ago

#8335 closed defect (fixed)

Torbutton 1.5 Causing Repeated HTTP Auth Prompts for Every Page

Reported by: tas142 Owned by: mikeperry
Priority: High Milestone: TorBrowserBundle 2.3.x-stable
Component: TorBrowserButton Version:
Severity: Keywords: tbb-rebase-regression, tbb-usability-website, MikePerry201303
Cc: Actual Points: 2
Parent ID: Points:
Reviewer: Sponsor:

Description

Tor Browser Bundle (2.3.25-4) includes Torbutton 1.5 which appears to invalidate HTTP authentication after each page is loaded when the http authentication is on the root directory of the website.

This message appears in the Error Console after entering the authentication information into the HTTP auth prompt:

Torbutton NOTE: Removing 3rd party HTTP auth for url: [scrubbed]

The result is that the user must enter the HTTP authentication information for each page on the website.

There was no issue in prior releases of the Tor Browser Bundle.

The expected behavior is that the browser should store the http authentication credentials until Active Logins are clear or a New Identity is selected.

Child Tickets

Attachments (1)

torbutton-1.5.1pre6.xpi (819.1 KB) - added by mikeperry 7 years ago.
Fix repeated http auth popups.

Download all attachments as: .zip

Change History (10)

comment:1 Changed 7 years ago by tas142

Milestone: TorBrowserBundle 2.3.x-stable

comment:2 Changed 7 years ago by tas142

Component: TorbuttonTorBrowserButton
Owner: set to mikeperry

comment:3 Changed 7 years ago by mikeperry

Keywords: tbb-rebase-regression tbb-usability-website added; http auth 3rd party http auth torbutton removed

Hrmm. I wonder if this is due to our recent use of Private Browsing Mode.. This doesn't happen for me on trac.torproject.org, which uses HTTP auth + cookies. I suppose it could be because the cookies are surviving, which is enough for Trac.

comment:4 in reply to:  3 Changed 7 years ago by tas142

Replying to mikeperry:

Hrmm. I wonder if this is due to our recent use of Private Browsing Mode.. This doesn't happen for me on trac.torproject.org, which uses HTTP auth + cookies. I suppose it could be because the cookies are surviving, which is enough for Trac.

Right, it doesn't happen on trac.project.org because the HTTP auth seems to be on a subdirectory. The error only seems to occur when the HTTP auth is on the root directory of the website (ie, on the "public_html" directory).

Strangely, if the root HTTP auth is disabled, subdirectories that have separate HTTP auth work as expected. Once a user enters a subdirectory and has been successfully authenticated, if the root HTTP auth is re-enabled, then the browser behaves as expected and after the initial prompt, HTTP auth of the root directory is preserved. However, once the browser is closed, on relaunch the issue reappears, and the user receives a prompt for each page the user visits.

Tried disabling Private Browsing Mode and disabling all of TorButton's security settings, but the issue still persists, always with the following message after a page has loaded:

Torbutton NOTE: Removing 3rd party HTTP auth for url: [scrubbed]

Thanks for reviewing.

comment:5 Changed 7 years ago by arma

I expect it would help Mike if you gave him a specific website for which this is a problem. That way if he produces a fix he'll be able to test it.

comment:6 Changed 7 years ago by tas142

Hi,

You can see a demonstration of the issue at the following URL:

http://tordev1.juplo.com

The HTTP auth credentials are:

username: testing
password: abc123

This website is a default installation of Joomla 3.0 with sample content loaded. Just the public_html folder is protected with http authentication.

After a page fully loads, browsing to every page requires that the HTTP auth username and password be entered again. It is possible to open another page from a page that hasn't fully loaded because the Torbutton appears to remove the HTTP auth after a page is done loading. Just reloading the page after it's been loaded also causes the prompt, even if the page is a direct link to an image.

After each page fully loads, the same message appears in the error console:

Torbutton NOTE: Removing 3rd party HTTP auth for url: [scrubbed]

This behavior has been observed on both Joomla and vBulletin installations and also within subdirectories, not just when the public_html is protected, as was incorrectly stated in a prior message.

Thanks again for reviewing.

comment:7 Changed 7 years ago by mikeperry

Priority: normalmajor

comment:8 Changed 7 years ago by mikeperry

Heh. This turns out to be due to favicons. We strip the auth off of them because technically the browser chrome UI (not the website) is loading them. This might be a little tricky to fix in the general case, but I think I should be able to special case just favicons for HTTP auth without too much trouble.

For now, as a workaround you can go into about:config and set browser.chrome.favicons and browser.chrome.site_icons to false.

Changed 7 years ago by mikeperry

Attachment: torbutton-1.5.1pre6.xpi added

Fix repeated http auth popups.

comment:9 Changed 7 years ago by mikeperry

Actual Points: 2
Keywords: MikePerry201303 added
Resolution: fixed
Status: newclosed

This is in TBB-2.3.25-5.

Note: See TracTickets for help on using tickets.