- I am developing a Google chrome plugin.
- under the options page I am running a AJAX request to the server that requires PASSWORD
- I just want to catch the error if Password was incorrect, but browser is giving a popup window.
Can I disable it and how?
views:
325answers:
2
+3
A:
The problem is you’re not Base64-encoding the username (i.e., authentication token) and (dummy) password you’re sending (which is a requirement of the HTTP Basic authentication scheme). Here’s roughly what your code ought to look like:
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://onsip.highrisehq.com/account.xml');
xhr.setRequestHeader('Authorization', 'Basic ' + btoa(token + ':'));
xhr.onreadystatechange = function() { console.log(xhr.responseText); };
xhr.send();
(I swapped in 'onsip' as the subdomain for you, but you still need to replace token with your authentication token.)
byoogle
2010-07-26 12:28:54
not quite sure that is the casetryvar xhr = new HMLHttpRequest();xhr.open('GET', 'UrlToServerThatUsesBasicHttpAuthentication', true, Login, WrongPassword);xhr.send();
simple
2010-08-03 05:36:23
What byoogle wants to tell you possibly is to use the POST-based authenticate on 37signals.com instead of the GET based basic auth?
chx
2010-08-03 05:51:05
Correct, you should be using “POST”. I got the params above by running a packet sniffer against the Highrise login page, so they should match exactly what the page sends (if you view the page source, you’ll see the form method is set to “POST” not “GET”). I recommend you try copying the params I’m passing in since they work for me.
byoogle
2010-08-03 07:00:01
see the API(http://developer.37signals.com/highrise/) of Highrise as I am not really using the "username" and "password" but "token" and "dummypassowrd" , tho I will try to do a post message , and give you the feedback after.
simple
2010-08-06 08:17:14
Oh, didn’t know about their API. I assumed you were screen-scraping. You should definitely keep using the API (much less brittle)! And I see what your problem is now — solution will be in my edited answer.
byoogle
2010-08-08 08:57:59
A:
I know two ways one can do this in Firefox XUL code (but not web code), one of which I know doesn't apply to Google chrome, and a quick test seems to indicate the other doesn't either.
Three options occur to me.
- Have a password checking page on an accessible server (ideally the same one) which when queried (over a secure connection of course) replies with an indication of whether the user/pass combination is correct. If you aren't the same people as involved with the server running this service I'd feel agrieved at you doing this, though thousands let facebook et al. do this kind of thing all the time! On the other hand, it's hard enough convincing people not to be so silly as to let facebook et al. do this all the time, so another person doing the same thing won't help matters.
- Don't ask your users for their passwords, the built-in prompt will then be used in every case and be the "normal" user/pass. Personally, I'd feel happier with the idea that you are doing even Basic since it's over an encrypted channel than what would look like forms authentication (not as happy as I'd be with Digest or another model with some password hiding in the actual protocol) since while both can do some weird and silly stuff with the passwords sent, experience has shown that forms is more likely to be created by someone going "of course I can code securely, what's to think about?" than any other scheme.
- If it's your own server, you can respond to an incorrect password with something other than 401, and use this as a signal in the script to re-query. It would be best to have a special "log-in" URI for this, so as not to have this kludge for XMLHttpRequest interfer with better-behaved clients.
Jon Hanna
2010-08-09 02:21:12