Menu
I'm trying to protect a site during an early stage of development from casual prying eyes. Basic auth over HTTPS seemed like a reasonable solution but the presence of a serviceworker seems to prevent it from working in Chrome. This happens specifically if a serviceworker is already installed, but the browser does not have an active authorisation for the desired realm.
Chrome shows that the response was a 401 in the network timeline
And also shows that the browser tab is receiving the right response headers:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="My realm"
Date: Tue, 21 Jun 2016 03:09:35 GMT
Connection: close
Cache-Control: no-cache
But it does not prompt for a login, it just shows the content body of the 401 response.
Is this a Chrome bug, or is it likely to be a problem with my ServiceWorker?
802
I demoed this to one of the Google engineers responsible for implementing ServiceWorker in Chrome, and he determined that it was a Chromium bug. Filed here:
https://bugs.chromium.org/p/chromium/issues/detail?id=623464#
112
This is because of a fetch() option unfortunately defaults to 'omit' credentials. You need to fetch() with {'credentials': 'same-origin'}. Watch for the GitHub pull request.
For now if you are using add() or addAll() you will need to pass a request object.
Example:
cache.addAll(
cacheUrls.map(url => new Request(url, {credentials: 'same-origin'}))
);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
