tags:

views:

1139

answers:

3
+3  Q: 

User authentication with XMLHttpRequest works in IE, not in Chrome?

The following function works in IE but not in Chrome:

function doStuff() {
  var request = new XMLHttpRequest();
  request.open("POST", "http://twitter.com/statuses/update.json", true, "USERNAME-HERE", "PASSWORD-HERE");
  request.send("status=STATUS UPDATE HERE");
}

Chrome generates the following request. Note the Authorization header is missing:

OPTIONS /statuses/update.json HTTP/1.1
Host: twitter.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Access-Control-Request-Method: POST
Origin: file://
Access-Control-Request-Headers: Content-Type
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

I get the following response (http 401):

HTTP/1.1 401 Unauthorized
Date: Wed, 03 Feb 2010 00:39:33 GMT
Server: hi
Status: 401 Unauthorized
WWW-Authenticate: Basic realm="Twitter API"
X-Runtime: 0.00107
Content-Type: application/json; charset=utf-8
Cache-Control: no-cache, max-age=300
Set-Cookie: _twitter_sess=BAh7BzoHaWQiJTUxMTc2Nzk4N2U0YzMzZmU0ZTQyNzI4NjQyYjI3ODE2Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsA--bb61324c3ba12c3cd1794b3895a906a69c154edd; domain=.twitter.com; path=/
Expires: Wed, 03 Feb 2010 00:44:33 GMT
Vary: Accept-Encoding
Content-Length: 73
Connection: close

{"request":"/statuses/update.json","error":"Could not authenticate you."}

So, how am I supposed to pass a username and password to XHR? Webkit/Safari documentation says the open method should take these parameters, so I'm not sure why it is failing.

A: 

Have you tried:

request.setRequestHeader('Authorization', 'yourvalue');
AJ  2010-02-03 01:12:17
That won't really help him. Note that Chrome is sending an OPTIONS request.
EricLaw -MSFT-  2010-02-03 01:13:48
@EricLaw he still needs to set Authorization header. And your answer is right too.
AJ  2010-02-03 01:15:39
Adding Authorization doesn't help.
jeffamaphone  2010-02-03 01:29:28
The authorization header will be automatically sent by the last two parameters of the Open() call. If the Open() call wasn't x-domain.
EricLaw -MSFT-  2010-02-03 19:34:55
+3  A: 

From the look of it, you're trying to do an X-Domain XMLHTTPRequest, which is why Chrome sends the OPTIONS pre-flight request. Because the Twitter server doesn't respond to the OPTIONS request indicating that X-Domain access is okay, you get a failure here.

Your code would only work in IE in the Local Computer zone, or if you turn off x-domain-checking (very dangerous)

EricLaw -MSFT-  2010-02-03 01:13:24
That is works in IE because of LMZ seems to be true.
jeffamaphone  2010-02-03 01:29:11
+1  A: 

The solution was that I needed to add 

request.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

The way I'm doing this is... special... so this may not be of much use to others going forward. But once I added this webkit started adding Authorization.

jeffamaphone  2010-02-03 01:30:20
glad request.setRequestHeader() was useful to you after all.
AJ  2010-02-03 02:14:57

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication