-
Notifications
You must be signed in to change notification settings - Fork 457
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chrome doesn't support concatenation of WWW-Authenticate values #5289
Comments
OK, the log fragment you sent shows the 401 status being sent to the web browser, but no authentication data being sent from the browser to cupsd. What browser are you using? What version of OpenBSD? |
Ohoh my bad... yes you're right, that's a brower issue. |
Facing the same exact problem it might still be interesting to know what the actual issue is. If it is indeed a bug in chromium, fine. But if chromium deliberately changed its behaviour it may be wise to adapt CUPS accordingly. Otherwise chromium would end up being permanently unsupported. |
Chrome cowardly stopped supporting self-signed certificates, at all. Nothing we can do to "adapt" short of dropping the web interface... We already support Let's Encrypt and other CA-sign certs. |
I see. Does basic auth always use encryption? Because I'm seeing this with plain http. |
Basic auth (RFC 7617) does not explicitly allow it, but Chromium requires it. |
Oof. OK then. Firefox it is… Thanks for the insights. |
The problem seems to be the ", Local" part appended to the "WWW-Authenticate" response header. Chromium doesn't seem to like it for some reason! |
Hmm, sounds like chromium isn't supporting HTTP properly (!). WWW-Authenticate is one of the (many) HTTP headers that follows value concatenation rules... We can probably filter out the ", Local" part for non-CUPS clients, but ultimately Google needs to fix Chrome... |
Your short-term workaround in CUPS sounds good. FWIW the exact log message is:
I'll try to dig into Chromium to see where the issue might be and/or create an upstream report about this. |
Further investigation reveals that Chromium requires values for each field in the WWW-Authenticate header. RFC 7235 seems to agree with Chromium's behavior, I think because otherwise we can't tell if it's a new auth scheme or another auth parameter. In this case, the "Local" parameter doesn't have a value. If this parameter is specific to CUPS, would it be possible to add a dummy value to it? |
OK, according to RFC 7235 (which defines the syntax of the WWW-Authenticate header values) auth parameters are optional - the specific ABNF is:
WRT the CUPS-specific "Local" authentication scheme, it has one parameter ("trc" for "try root certificate") but we currently only add it if we want the client to try authenticating as root. There is also the CUPS-specific "PeerCred" authentication scheme that is used over domain sockets. |
You're right! My bad for not understanding Looking at net/http/http_auth.cc and HttpAuthChallengeTokenizer::Init, Chromium appears to accept multiple challenges but requires each of them to be in a separate So a workaround in CUPS might be to issue a separate |
It would mean separating WWW-Authenticate and all other headers using this syntax into multiple lines, which is tedious and should be totally unnecessary - after all, this functionality has been part of HTTP since RFC 2068 (the original HTTP/1.1 specification). I will look at the options, but the least invasive option is to detect when Chrome is in use and simply omit the Local scheme. |
…tiple authentication schemes in a single response header (Issue #5289)
…ple authentication schemes in a single response header (Issue #5289)
[master 4feb1fe] - Added a workaround for certain web browsers that do not support multiple authentication schemes in a single response header (Issue #5289) [branch-2.2 2390f1d] Added a workaround for certain web browsers that do not support multiple authentication schemes in a single response header (Issue #5289) |
Thanks for the fix! Please note the comment I added to commit 2390f1d (it appears to be incomplete). Random fact: Chromium would also accept |
Hi.
The login promt dialog is never displayed on the web interface since I moved from 2.2.6 to 2.2.7 on OpenBSD. I'm running with the "Fixed builds without PAM (Issue #5283)" patch.
I can't add printer or anything...
The text was updated successfully, but these errors were encountered: