LibWeb: Check presence of WWW-Authenticate header in fetch response

If a HTTP 401 response we get does not contain a `WWW-Authenticate` header, we should not trigger the logic to ask the user for credentials and retry the request. This part is hinted at in a TODO / 'Needs testing' remark in the spec but needs to be fleshed out. Raised an upstream issue to do so: https://github.com/whatwg/fetch/issues/1766 This fixes login forms triggering an infinite fetch loop when providing incorrect credentials. Co-Authored-By: Victor Tran <vicr12345@gmail.com>
Author: https://github.com/gmta Commit: https://github.com/LadybirdBrowser/ladybird/commit/e7984a77116 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/1056 Reviewed-by: https://github.com/tcl3 ✅
2024-08-13 11:47:15 +02:00 · 2024-08-13 11:47:15 +02:00 · e7984a7711 · 2024-08-13 15:02:44 +00:00
commit e7984a7711
parent 1537d589ca
1 changed files with 4 additions and 1 deletions
--- a/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp
+++ b/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp
@ -1987,7 +1987,10 @@ WebIDL::ExceptionOr<JS::NonnullGCPtr<PendingResponse>> http_network_or_cache_fet
        if (response->status() == 401
            && http_request->response_tainting() != Infrastructure::Request::ResponseTainting::CORS
            && include_credentials == IncludeCredentials::Yes
-            && request->window().has<JS::GCPtr<HTML::EnvironmentSettingsObject>>()) {
+            && request->window().has<JS::GCPtr<HTML::EnvironmentSettingsObject>>()
+            // AD-HOC: Require at least one WWW-Authenticate header to be set before automatically retrying an authenticated
+            //         request (see rule 1 below). See: https://github.com/whatwg/fetch/issues/1766
+            && request->header_list()->contains("WWW-Authenticate"sv.bytes())) {
            // 1. Needs testing: multiple `WWW-Authenticate` headers, missing, parsing issues.
            // (Red box in the spec, no-op)