basic auth protected sites ask for the password twice

[nylocx]

In Chromium if I open a website that has a basic auth protection the popup asks me for the password twice. I guess one time during chromium doing some prefetching stuff while typing the url and one time for the actual load of the website. It would really be nice if the PW could be cached for a few seconds so I only have to select it once not twice.

[martinhoefling]

@Pharb , do you see an issue with security, if one e.g. caches the combination for a limited time / domain?

[nylocx]

If this might pose a security risk because the password remains in the memory for a bit longer, another viable option for me would be to ignore the request coming from the prefetching -- if it is possible to determine this.

[Pharb]

I can imagine that the specific website you are using uses different host domains to load resources in the background.

Problem with the prefetching you mentioned is, that this is very low-level browser functionality, which might cause other websites to break, if we would change this arbitrarily.

It would not be acceptable to just send your basic auth password to all those domains without asking the user for each host.

Is this website public, maybe I can take a look?

[nylocx]

It is not really public it is a company intranet site, but I just tried to debug it by leaving the chrome webdev tools open in the network view while visiting the site and there was no gopassbridge popup created until I hit enter to visit the site. If the devtools are closed the first gopassbridge popup appears after I typed the first 3 letters of the domain. Maybe it is because it's trying to prefetch the favicon or something like that. I'm sorry that I can not provide a minimal example. If I come up with a reproducible scenario on my server I will let you know.

[Pharb]

Thanks @nylocx for taking a closer look.

Interesting, but doesn't the same behaviour happen without gopassbridge? Just with the default browser basic-auth dialog?

[nylocx]

No, it only happens with gopassbridge activated. I just double checked this. The browser dialog only opens the moment I hit enter as expected.

[Pharb]

Ok, if it doesn't happen with the default auth dialog, then it might be a bug or missing handling of an edge-case in the extension.

If you find a way to reproduce on a public website, please let us know.

[nylocx]

After some digging I found that it could really be related to the favicon. There is a chromium test to check the handling of this. More or less it is ignoring the 401 from the favicon as long as it is loaded as a resource. I'm not sure which trigger you use to show the popup, but maybe you have to do the special handling on your own. If I find some spare time I will try to create a test site with a basic auth protected favicon resource.

For reference: https://chromium.googlesource.com/chromium/src/+/62fc8d9d8e96b06feffea2de35c56edd0d2cee3c/chrome/browser/ui/login/login_prompt_browsertest.cc#587

[Pharb]

Ok thanks for the reference.

I guess this is a special case that is not reflected in the extension API to handle basic auth: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest/onAuthRequired

There is also a function handling system-level requests like safebrowsing updates and favicon fetches in the Chromium test setup: https://chromium.googlesource.com/chromium/src/+/29f314a3cb94a50602cc2231553db3230c892d45/chrome/test/data/extensions/api_test/webrequest/framework.js?autodive=0#297

I guess we could try to handle that also in gopassbridge.