Bug #83741

HTTP Basic Authentication credentials in Google Chrome 64 not transfered to AJAX calls in d3.js

Added by Marco Huber over 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend JavaScript
Target version:
8.7.10
Start date:
2018-01-31
Due date:
% Done:

100%

TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Our project is protected by a HTTP Basic Authentication and we have to enter the username/password on every d3.json() call in Google Chrome. In TYPO3 8.7 this function is called in the SvgTree.js to build the tree in the tt_content/categories field, in TYPO3 9.x it's called for every(?) tree.

This is a bug in the d3.js (4.10) library, but it affects every TYPO3 8.7 and 9.x. An Update to d3.js 4.13 doesn't help and in d3.js 5.0 there is a similar issue.

https://github.com/d3/d3-request/issues/33
https://github.com/d3/d3-fetch/issues/10

A dirty workaround would be, to set the credentials with some javascript workaround. But I'm not sure if this is the right way. Berhaps the d3.js developers have some ideas on github.

d3.png View (101 KB) Peter Kraume, 2018-01-31 16:16

Related issues

Related to TYPO3 Core - Feature #76108: Refactor Category tree to be based on SVG Closed 2016-05-10

Associated revisions

Revision d59072a8 (diff)
Added by Tymoteusz Motylewski over 1 year ago

[BUGFIX] D3.js uses basic authentication credentials cached in browser

Chrome 64 changed the behaviour regarding xhr.open() calls when passing
null values as password and username.
The d3.js file is manually patched.
Once PR https://github.com/d3/d3-request/pull/34/files is merged we can
use official d3.js version again.

Resolves: #83741
Releases: master, 8.7
Change-Id: I9b83d953ecd19afb9fa5039e1782d094111b0125
Reviewed-on: https://review.typo3.org/55534
Tested-by: TYPO3com <>
Reviewed-by: Frank Naegler <>
Tested-by: Frank Naegler <>
Reviewed-by: Benni Mack <>
Tested-by: Benni Mack <>

Revision 48e397b4 (diff)
Added by Tymoteusz Motylewski over 1 year ago

[BUGFIX] D3.js uses basic authentication credentials cached in browser

Chrome 64 changed the behaviour regarding xhr.open() calls when passing
null values as password and username.
The d3.js file is manually patched.
Once PR https://github.com/d3/d3-request/pull/34/files is merged we can
use official d3.js version again.

Resolves: #83741
Releases: master, 8.7
Change-Id: I9b83d953ecd19afb9fa5039e1782d094111b0125
Reviewed-on: https://review.typo3.org/55559
Tested-by: TYPO3com <>
Reviewed-by: Peter Kraume <>
Tested-by: Peter Kraume <>
Reviewed-by: Marco Huber <>
Tested-by: Marco Huber <>
Reviewed-by: Andreas Fernandez <>
Tested-by: Andreas Fernandez <>

History

#1 Updated by Peter Kraume over 1 year ago

The problem that Marco described started with Google Chrome 64 which had some changes regarding the handling of basic auth credentials in URLs.
Attached is a screenshot which shows the problem.

#2 Updated by Peter Kraume over 1 year ago

  • Category set to Backend JavaScript

#3 Updated by Peter Kraume over 1 year ago

How to reproduce:

TYPO3 8.7:
  • add basic auth protection to the TYPO3 backend or the whole site
  • use at least Google Chrome 64
  • try to add/edit a content element or page properties
    => you're directly prompted for credentials again
TYPO3 9.x
  • add basic auth protection to the TYPO3 backend or the whole site
  • use at least Google Chrome 64
  • try to open any module that contains the page tree or try to refresh the page tree
    => you're directly prompted for credentials again

#4 Updated by Marco Huber over 1 year ago

  • Related to Feature #76108: Refactor Category tree to be based on SVG added

#6 Updated by Mathias Schreiber over 1 year ago

  • Description updated (diff)

#7 Updated by Tymoteusz Motylewski over 1 year ago

One solution would be to migrate to v5 and change the d3.json (swicthing also request component from d3-request to d3-fetch where you can pass configuration options like

d3.json("path/to/file.json", {credentials: "include"});

Another solution would be to patch d3 manually like in my pull request:
https://github.com/d3/d3-request/pull/34/files

#8 Updated by Gerrit Code Review over 1 year ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55534

#9 Updated by Tymoteusz Motylewski over 1 year ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#10 Updated by Peter Kraume over 1 year ago

What needs to be done to backport this patch for TYPO3 8.7 as well? On Feb 6th, the next patch release for TYPO3 8.7 is scheduled and it would be great to have this patch in the next release!

#11 Updated by Susanne Moog over 1 year ago

  • Target version set to 8.7.10

#12 Updated by Susanne Moog over 1 year ago

  • Status changed from Resolved to Accepted

Backport still missing

#13 Updated by Gerrit Code Review over 1 year ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55559

#14 Updated by Gerrit Code Review over 1 year ago

Patch set 2 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55559

#15 Updated by Gerrit Code Review over 1 year ago

Patch set 3 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55559

#16 Updated by Tymoteusz Motylewski over 1 year ago

  • Status changed from Under Review to Resolved

#17 Updated by Benni Mack about 1 year ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF