User profile for user: i_leeder
i_leeder Author
User level: Level 1
4 points

Safari not prompting for basic authentication

Our website provides hyperlinks to third-party software which requests basic authentication. Previously a user would click the link, they would be taken to the new URL, and an authentication prompt would be shown. On the recent update Safari no longer prompts for authentication, and users are given a 401 Unauthorised error immediately. If you reload the page, it will prompt. Pasting the URL directly into the address bar works correctly.


This is not due to caching or cookies. I can confirm it was working fine in macOS Safari 11.0.1 and is broken in 11.0.2. Chrome does not exhibit this behaviour. I also have reports of the same issue affecting iOS Safari, but I have not isolated versions.


Loading a test page from my local HDD does not give the same problem, but when hosted via IIS (on our web server or on my development machine) it fails every time. An example page is hosted here:

https://go.itelescope.net/auth_test.html


It links to a test authentication server here (this test server does not display a 401 error, but it still should show the authentication dialog):

http://httpbin.org/basic-auth/user/passwd


Has anyone seen this before, or found a solution? I'm also reporting this to Apple but since I'm not an Apple Developer I expect it to get lost in the noise.

macOS High Sierra (10.13.2), Safari 11.0.2

Posted on Jan 9, 2018 6:21 PM

Reply
3 replies
Sort By: 
User profile for user: i_leeder
i_leeder Author
User level: Level 1
4 points

Jan 17, 2018 3:42 AM in response to dabateswk

Thanks, that explains a lot. I'll test this more at a later date, but it would explain why testing from my local HDD works (file is loaded non-secure). Do you know if this is documented anywhere? I tried searching for release notes, but all I can find from Apple is information about security fixes.


I may not agree with their design choice, but I accept that they have more knowledge and experience in this matter, so I won't argue it. However what really gets me is the implementation. No warning, no notice, nothing to indicate this was a done intentionally to keep the user safe. All it needs is a warning similar to their phishing warning:

User uploaded file


But to silently fail with no warning? That's crap design.


I have very little control over the destination of the links. If I can't change the destination to HTTPS, their security improvements require that I change my site to HTTP? Unlikely. At this stage I will have to alert all users to no longer use Safari.

Reply
User profile for user: i_leeder
i_leeder Author
User level: Level 1
4 points

Jan 28, 2018 4:26 PM in response to dabateswk

@dabateswk I finally had time to test this (the holiday period is hectic). My results certainly line up with what you are saying:

  • HTTPS -> HTTP fails
  • HTTPS -> HTTPS works
  • HTTP -> HTTP works
  • HTTP -> HTTPS works

I still would like to see this documented from Apple if you know of any. Alternatively where did you get your information from?

Reply
User profile for user: dabateswk
dabateswk
User level: Level 1
9 points

Jan 17, 2018 3:42 AM in response to i_leeder

In iOS 11.2 and macOS 10.13.2 Safari no longer prompts for credentials when navigating to an insecure web page (served over HTTP) that requires authentication from a secure web page (served over HTTPS) to prevent phishing attacks. For a similar reason, Safari no longer prompts for credentials when loading either an insecure subresource (e.g. an image) that requires authentication or a secure subresource that requires authentication through an insecure redirect from a secure web page.


The solution is to ensure that the web page that links to the test authentication server and the test authentication server use the same scheme: http or https. In its preferred embodiment, both would be accessed over HTTPS. With regards to your example, <https://go.itelescope.net/auth_test.html> should be modified to link to <https://httpbin.org/basic-auth/user/passwd> (notice the use of "https").

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Safari not prompting for basic authentication

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up