Menu
we have a webserver (nginx) https://www.website.com which is protected by a basic authentication. The API https://www.website.com/api does not have a basic authentication!
The problem now is, since Safari 12 (macOS & iOS), the http header set by our javascript application with a Bearer token for /api requests is actually not sent to the server, because it is replaced with the basic token. I can see this in the network tab in the safari developer tools. As mentioned before /api is public and not protected!
Chrome e.g. does sent the correct Bearer token and not the Basic one.
When I remove the basic authentication in the nginx configuration and restart safari, everything works fine and the Bearer token is sent to the api.
It seems that safari 12 just send automatically the basic token along for every request for the domain.
Does anybody have an idea if this is a bug in safari? One solution might that we change the api target from /api to a seperate subdomain like api.website.com.
Thanks for your help.
939
The HTTP Authorization request header can be used to provide credentials that authenticate a user agent with a server, allowing access to a protected resource. The Authorization header is usually, but not always, sent after the user agent first attempts to request a protected resource without credentials.
These can be stored in the browser local storage or session storage.
You can't. ANY HTTP headers by default will be seen in the browser, at any time: End-to-end headers: These headers must be transmitted to the final recipient of the message; that is, the server for a request or the client for a response.
I can tell you that I am seeing the same issue with your proposed "api.website.com" solution. Safari seems to not care about subdomain. It seems to only care about domain.
185
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
