I'm developing Single Page App using Angular. The backend exposes REST services that require Basic authentication. Getting index.html or any of the scripts does not require authentication.
I have an odd situation where one of my view has a <img>
where the src
is the url of a REST API that requires authentication. The <img>
is processed by the browser and I have no chance to set the authorization header for GET request it makes. That causes the browser to prompt for credentials.
I attempted to fix this by doing this:
- Leave
img
src
empty in the source
- At "document ready", make an
XMLHttpRequest
to a service (/api/login
) with the Authorization header, just to cause the authentication to occur.
- Upon completing that call, set the
img src
attribute, thinking that by then, the browser would know to include the Authorization header in subsequent requests...
...but it doesn't. The request for the image goes out without the headers. If I enter the credentials, then all other images on the page are right.
(I've also tried and Angular's ng-src
but that produced the same result)
I have two questions:
- Why didn't the browser (IE10) include the headers in all requests after a successful
XMLHttpRequest
?
- What can I do to work around this problem?
@bergi asked for requests' details. Here they are.
Request to /api/login
GET https://myserver/dev30281_WebServices/api/login HTTP/1.1
Accept: */*
Authorization: Basic <header here>
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/6.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Connection: Keep-Alive
Response (/api/login)
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 4
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 20 Dec 2013 14:44:52 GMT
Request to /user/picture/2218:
GET https://myserver/dev30281_WebServices/api/user/picture/2218 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/6.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Connection: Keep-Alive
And then the web browser prompts for credentials. If I enter them, I get this response:
HTTP/1.1 200 OK
Cache-Control: public, max-age=60
Content-Length: 3119
Content-Type: image/png
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 20 Dec 2013 14:50:17 GMT
question from:
https://stackoverflow.com/questions/20617720/why-doesnt-the-browser-reuse-the-authorization-headers-after-an-authenticated-x 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…