I'm trying to protect a site during an early stage of development from casual prying eyes. Basic auth over HTTPS seemed like a reasonable solution but the presence of a serviceworker seems to prevent it from working in Chrome. This happens specifically if a serviceworker is already installed, but the browser does not have an active authorisation for the desired realm.
Chrome shows that the response was a 401 in the network timeline
And also shows that the browser tab is receiving the right response headers:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="My realm"
Date: Tue, 21 Jun 2016 03:09:35 GMT
Connection: close
Cache-Control: no-cache
But it does not prompt for a login, it just shows the content body of the 401 response.
Is this a Chrome bug, or is it likely to be a problem with my ServiceWorker?
I'm trying to protect a site during an early stage of development from casual prying eyes. Basic auth over HTTPS seemed like a reasonable solution but the presence of a serviceworker seems to prevent it from working in Chrome. This happens specifically if a serviceworker is already installed, but the browser does not have an active authorisation for the desired realm.
Chrome shows that the response was a 401 in the network timeline
And also shows that the browser tab is receiving the right response headers:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="My realm"
Date: Tue, 21 Jun 2016 03:09:35 GMT
Connection: close
Cache-Control: no-cache
But it does not prompt for a login, it just shows the content body of the 401 response.
Is this a Chrome bug, or is it likely to be a problem with my ServiceWorker?
Share Improve this question asked Jun 21, 2016 at 3:14 AndrewAndrew 2,11420 silver badges25 bronze badges 2- How does Chrome know to send auth headers with the service worker request? – Rick Viscomi Commented Jun 22, 2016 at 6:40
- @RickViscomi the serviceworker doesn't, but the tab should, right? The SW ought to be an uncaring middlebox in this process, that's what I assumed. – Andrew Commented Jun 22, 2016 at 7:50
2 Answers
Reset to default 13I demoed this to one of the Google engineers responsible for implementing ServiceWorker in Chrome, and he determined that it was a Chromium bug. Filed here:
https://bugs.chromium.org/p/chromium/issues/detail?id=623464#
This is because of a fetch() option unfortunately defaults to 'omit' credentials. You need to fetch() with {'credentials': 'same-origin'}. Watch for the GitHub pull request.
For now if you are using add() or addAll() you will need to pass a request object.
Example:
cache.addAll(
cacheUrls.map(url => new Request(url, {credentials: 'same-origin'}))
);