Bug #83741
closed
HTTP Basic Authentication credentials in Google Chrome 64 not transfered to AJAX calls in d3.js
100%
Description
Our project is protected by a HTTP Basic Authentication and we have to enter the username/password on every d3.json() call in Google Chrome. In TYPO3 8.7 this function is called in the SvgTree.js to build the tree in the tt_content/categories field, in TYPO3 9.x it's called for every(?) tree.
This is a bug in the d3.js (4.10) library, but it affects every TYPO3 8.7 and 9.x. An Update to d3.js 4.13 doesn't help and in d3.js 5.0 there is a similar issue.
https://github.com/d3/d3-request/issues/33
https://github.com/d3/d3-fetch/issues/10
A dirty workaround would be, to set the credentials with some javascript workaround. But I'm not sure if this is the right way. Berhaps the d3.js developers have some ideas on github.
Files
Updated by Peter Kraume over 7 years ago
The problem that Marco described started with Google Chrome 64 which had some changes regarding the handling of basic auth credentials in URLs.
Attached is a screenshot which shows the problem.
Updated by Peter Kraume over 7 years ago
How to reproduce:
TYPO3 8.7:- add basic auth protection to the TYPO3 backend or the whole site
- use at least Google Chrome 64
- try to add/edit a content element or page properties
=> you're directly prompted for credentials again
- add basic auth protection to the TYPO3 backend or the whole site
- use at least Google Chrome 64
- try to open any module that contains the page tree or try to refresh the page tree
=> you're directly prompted for credentials again
Updated by Marco Huber over 7 years ago
- Related to Feature #76108: Refactor Category tree to be based on SVG added
Updated by Marco Huber over 7 years ago
In TYPO3 8.7 this is the code snippet where d3.json is called: https://github.com/TYPO3/TYPO3.CMS/blame/TYPO3_8-7/typo3/sysext/backend/Resources/Public/JavaScript/FormEngine/Element/SvgTree.js#L168
It was introduced with this Feature: https://forge.typo3.org/issues/76108
Updated by
Updated by Tymoteusz Motylewski over 7 years ago
One solution would be to migrate to v5 and change the d3.json (swicthing also request component from d3-request to d3-fetch where you can pass configuration options like
d3.json("path/to/file.json", {credentials: "include"});
Another solution would be to patch d3 manually like in my pull request:
https://github.com/d3/d3-request/pull/34/files
Updated by Gerrit Code Review over 7 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55534
Updated by Tymoteusz Motylewski over 7 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset d59072a8639ba7095852132b85e200b5c11b0663.
Updated by Peter Kraume over 7 years ago
What needs to be done to backport this patch for TYPO3 8.7 as well? On Feb 6th, the next patch release for TYPO3 8.7 is scheduled and it would be great to have this patch in the next release!
Updated by Susanne Moog over 7 years ago
- Status changed from Resolved to Accepted
Backport still missing
Updated by Gerrit Code Review over 7 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55559
Updated by Gerrit Code Review over 7 years ago
Patch set 2 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55559
Updated by Gerrit Code Review over 7 years ago
Patch set 3 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55559
Updated by Tymoteusz Motylewski over 7 years ago
- Status changed from Under Review to Resolved
Applied in changeset 48e397b4e35332eae64b71481b1b0a3b9f18ecfa.
Updated by
Updated by Benjamin Franzke over 4 years ago
- Related to Task #93186: Use AjaxRequest instead of broken d3.request added