Bug #83741
HTTP Basic Authentication credentials in Google Chrome 64 not transfered to AJAX calls in d3.js
100%
Description
Our project is protected by a HTTP Basic Authentication and we have to enter the username/password on every d3.json() call in Google Chrome. In TYPO3 8.7 this function is called in the SvgTree.js to build the tree in the tt_content/categories field, in TYPO3 9.x it's called for every(?) tree.
This is a bug in the d3.js (4.10) library, but it affects every TYPO3 8.7 and 9.x. An Update to d3.js 4.13 doesn't help and in d3.js 5.0 there is a similar issue.
https://github.com/d3/d3-request/issues/33
https://github.com/d3/d3-fetch/issues/10
A dirty workaround would be, to set the credentials with some javascript workaround. But I'm not sure if this is the right way. Berhaps the d3.js developers have some ideas on github.
Related issues
Associated revisions
[BUGFIX] D3.js uses basic authentication credentials cached in browser
Chrome 64 changed the behaviour regarding xhr.open() calls when passing
null values as password and username.
The d3.js file is manually patched.
Once PR https://github.com/d3/d3-request/pull/34/files is merged we can
use official d3.js version again.
Resolves: #83741
Releases: master, 8.7
Change-Id: I9b83d953ecd19afb9fa5039e1782d094111b0125
Reviewed-on: https://review.typo3.org/55534
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Frank Naegler <frank.naegler@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
[BUGFIX] D3.js uses basic authentication credentials cached in browser
Chrome 64 changed the behaviour regarding xhr.open() calls when passing
null values as password and username.
The d3.js file is manually patched.
Once PR https://github.com/d3/d3-request/pull/34/files is merged we can
use official d3.js version again.
Resolves: #83741
Releases: master, 8.7
Change-Id: I9b83d953ecd19afb9fa5039e1782d094111b0125
Reviewed-on: https://review.typo3.org/55559
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Peter Kraume <peter.kraume@gmx.de>
Tested-by: Peter Kraume <peter.kraume@gmx.de>
Reviewed-by: Marco Huber <mail@marco-huber.de>
Tested-by: Marco Huber <mail@marco-huber.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
History
#1
Updated by Peter Kraume almost 2 years ago
The problem that Marco described started with Google Chrome 64 which had some changes regarding the handling of basic auth credentials in URLs.
Attached is a screenshot which shows the problem.
#2
Updated by Peter Kraume almost 2 years ago
- Category set to Backend JavaScript
#3
Updated by Peter Kraume almost 2 years ago
How to reproduce:
TYPO3 8.7:- add basic auth protection to the TYPO3 backend or the whole site
- use at least Google Chrome 64
- try to add/edit a content element or page properties
=> you're directly prompted for credentials again
- add basic auth protection to the TYPO3 backend or the whole site
- use at least Google Chrome 64
- try to open any module that contains the page tree or try to refresh the page tree
=> you're directly prompted for credentials again
#4
Updated by Marco Huber almost 2 years ago
- Related to Feature #76108: Refactor Category tree to be based on SVG added
#5
Updated by Marco Huber almost 2 years ago
In TYPO3 8.7 this is the code snippet where d3.json is called: https://github.com/TYPO3/TYPO3.CMS/blame/TYPO3_8-7/typo3/sysext/backend/Resources/Public/JavaScript/FormEngine/Element/SvgTree.js#L168
It was introduced with this Feature: https://forge.typo3.org/issues/76108
#6
Updated by Mathias Schreiber almost 2 years ago
- Description updated (diff)
#7
Updated by Tymoteusz Motylewski almost 2 years ago
One solution would be to migrate to v5 and change the d3.json (swicthing also request component from d3-request to d3-fetch where you can pass configuration options like
d3.json("path/to/file.json", {credentials: "include"});
Another solution would be to patch d3 manually like in my pull request:
https://github.com/d3/d3-request/pull/34/files
#8
Updated by Gerrit Code Review almost 2 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55534
#9
Updated by Tymoteusz Motylewski almost 2 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset d59072a8639ba7095852132b85e200b5c11b0663.
#10
Updated by Peter Kraume almost 2 years ago
What needs to be done to backport this patch for TYPO3 8.7 as well? On Feb 6th, the next patch release for TYPO3 8.7 is scheduled and it would be great to have this patch in the next release!
#11
Updated by Susanne Moog almost 2 years ago
- Target version set to 8.7.10
#12
Updated by Susanne Moog almost 2 years ago
- Status changed from Resolved to Accepted
Backport still missing
#13
Updated by Gerrit Code Review almost 2 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55559
#14
Updated by Gerrit Code Review almost 2 years ago
Patch set 2 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55559
#15
Updated by Gerrit Code Review almost 2 years ago
Patch set 3 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55559
#16
Updated by Tymoteusz Motylewski almost 2 years ago
- Status changed from Under Review to Resolved
Applied in changeset 48e397b4e35332eae64b71481b1b0a3b9f18ecfa.
#17
Updated by Benni Mack about 1 year ago
- Status changed from Resolved to Closed