473,385 Members | 1,610 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > javascript > questions > can javascript do basic auth in ie6?

Join Bytes to post your question to a community of 473,385 software developers and data experts.

Can Javascript do Basic Auth in IE6?

A microsoft security patch disabled URLs of the format

http://username:pa******@somesite.com/someresource

There are programmatic ways to get around this but I can't find an
example in Javascript.

I've seen the msdn knowledge base article on the subject

http://support.microsoft.com/kb/834489/

The registry hack is no good for customers. We can't make them edit
their registry.

I think it is possible to access an ActiveX object that will allow the
username and password to be set programatically.

Under IE Javascript is capable of handling ActiveX objects. Is it
possible to access sites with Basic Auth by allowing Javascript to set
the username and password?

Example code would be great.

Thanks for any help!
Jul 23 '05 #1
7 5216
In article <MP************************@news.newsguy.com>,
noemail@anyaddressiown_invalid.com says...
A microsoft security patch disabled URLs of the format

http://username:pa******@somesite.com/someresource

There are programmatic ways to get around this but I can't find an
example in Javascript.

I've seen the msdn knowledge base article on the subject

http://support.microsoft.com/kb/834489/

The registry hack is no good for customers. We can't make them edit
their registry.

I think it is possible to access an ActiveX object that will allow the
username and password to be set programatically.

Under IE Javascript is capable of handling ActiveX objects. Is it
possible to access sites with Basic Auth by allowing Javascript to set
the username and password?


Possibly, but what security is there in sending usernames and passwords
to the client, in clear text?

--
Hywel

Kill the Crazy Frog
http://www.petitiononline.com/crzyfrg/
Jul 23 '05 #2
Not bullet proof but that is the way some resources protect themselves.

It's still an improvement because the username and password don't appear
in the source of the webpage.

So now, if you want to steal the usename and password you need a proxy
or packet sniffer, not just a browser with a "View Source" option.

In anycase, do you have any information on how it's done?
In article <MP************************@news.eclipse.net.uk> ,
hy***********@gmail.com says...
In article <MP************************@news.newsguy.com>,
noemail@anyaddressiown_invalid.com says...
A microsoft security patch disabled URLs of the format

http://username:pa******@somesite.com/someresource

There are programmatic ways to get around this but I can't find an
example in Javascript.

I've seen the msdn knowledge base article on the subject

http://support.microsoft.com/kb/834489/

The registry hack is no good for customers. We can't make them edit
their registry.

I think it is possible to access an ActiveX object that will allow the
username and password to be set programatically.

Under IE Javascript is capable of handling ActiveX objects. Is it
possible to access sites with Basic Auth by allowing Javascript to set
the username and password?


Possibly, but what security is there in sending usernames and passwords
to the client, in clear text?

Jul 23 '05 #3
Do it on the server.

Best way to lock it down is by having either a server-side script to do
authorization, or use a .htaccess file (Apache) to prompt.

Jul 23 '05 #4
In article <11*********************@z14g2000cwz.googlegroups. com>,
na*************@gmail.com says...
Do it on the server.

Best way to lock it down is by having either a server-side script to do
authorization, or use a .htaccess file (Apache) to prompt.

Our servers may not have access to the protected resource due to our
customers network topology, firewalls or whatever.

We ned to produce a page that will give our customers direct accccess to
Basic Auth resources. We can't always do it on the server.

In anycase, I finally figured out the code and I'll post the answer
later.
Jul 23 '05 #5
Yes it can, in at least one way:

function getDoc(url,username,password){
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");

WinHttpReq.Open("GET", url, false);
WinHttpReq.SetCredentials(username,password,0);
WinHttpReq.Send();
if (WinHttpReq.Status==200){
document.write(WinHttpReq.ResponseText);
}

The above javascript method seems to successfully get a password
protected resource in IE6 that used to be accessible through a URL of
the format

http://username:pa******@somesite.com/someresource

before.

any obvious problems with the code?

In article <MP************************@news.newsguy.com>,
noemail@anyaddressiown_invalid.com says...
A microsoft security patch disabled URLs of the format

http://username:pa******@somesite.com/someresource

There are programmatic ways to get around this but I can't find an
example in Javascript.

I've seen the msdn knowledge base article on the subject

http://support.microsoft.com/kb/834489/

The registry hack is no good for customers. We can't make them edit
their registry.

I think it is possible to access an ActiveX object that will allow the
username and password to be set programatically.

Under IE Javascript is capable of handling ActiveX objects. Is it
possible to access sites with Basic Auth by allowing Javascript to set
the username and password?

Example code would be great.

Thanks for any help!

Jul 23 '05 #6
"Dave" <noemail@anyaddressiown_invalid.com> wrote in message
news:MP************************@news.newsguy.com.. .
Yes it can, in at least one way:

function getDoc(url,username,password){
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");

WinHttpReq.Open("GET", url, false);
WinHttpReq.SetCredentials(username,password,0);
WinHttpReq.Send();
if (WinHttpReq.Status==200){
document.write(WinHttpReq.ResponseText);
}

The above javascript method seems to successfully get a password
protected resource in IE6 that used to be accessible through a URL of
the format

http://username:pa******@somesite.com/someresource

before.

any obvious problems with the code?


Any obvious problems with the code other than the fact that if you
include the code on a page on your Internet site and attempt to browse
the site with Internet Explorer in the default configuration you get an
"Automation server can't create object" error?

--
Grant Wagner <gw*****@agricoreunited.com>
comp.lang.javascript FAQ - http://jibbering.com/faq
Jul 23 '05 #7
Grant Wagner wrote:
"Dave" <noemail@anyaddressiown_invalid.com> wrote [...]:
Yes it can, in at least one way:

function getDoc(url,username,password){
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); ^^^^^^^^^^^^^^^^^^^^^^^^^^ [...]

The above javascript method seems to successfully get a password
protected resource in IE6 that used to be accessible through a URL of
the format

http://username:pa******@somesite.com/someresource

before.

any obvious problems with the code?


Any obvious problems with the code other than the fact that if you
include the code on a page on your Internet site and attempt to browse
the site with Internet Explorer in the default configuration you get an
"Automation server can't create object" error?


Yes, and HTTP URIs do not support the FTP URI scheme feature of passing
user names and passwords in the URL (at least they should not and if they
do in a UA that has to be considered a bug, there is nothing in HTTP/1.0
or HTTP/1.1 that supports such); HTTP Authentication serves that purpose
instead.
PointedEars
Jul 23 '05 #8
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
POST with basic auth and cookie from python?
by: Dan Stromberg | last post by:
If I wanted to write a python script that performs basic auth, gets a cookie, and then does an http POST using the cookie for authentication, what would be the best python API to write to? Does...
Python
7
HTTP - basic authentication example.
by: Michael Foord | last post by:
#!/usr/bin/python -u # 15-09-04 # v1.0.0 # auth_example.py # A simple script manually demonstrating basic authentication. # Copyright Michael Foord # Free to use, modify and relicense. #...
Python
0
Public caching with basic auth
by: _jpg_ | last post by:
Hi, I am currently having a problem where I require a client to cache a response (web form), using cache-control: public, but ASP.NET is always writing in a cache-control: private header. I...
ASP.NET
4
Basic Authentication problem
by: Barry | last post by:
The MS fix for IE broke how users access our site (if they patch their browsers), so I need a solution to get users logged onto our site transparently. Basically we used to log on to the site...
ASP.NET
13
Basic Authentication ... solution seems a mystery?
by: Pete | last post by:
I'm cross posting from mscom.webservices.general as I have received no answer there: There has been a number of recent posts requesting how to satisfactorily enable BASIC authorization at the...
.NET Framework
3
Web Services client and Basic Auth
by: Old Man | last post by:
using c# in a windows application. I am developing a webservice to run on our extranet SSL server. The company policy is that this server log everybody in. I am going to use the WSE security,...
.NET Framework
6
urllib2 through basic auth'ed proxy
by: Alejandro Dubrovsky | last post by:
I see from googling around that this is a popular topic, but I haven't seen anyone saying "ah, yes, that works", so here it goes. How does one connect through a proxy which requires basic...
Python
1
how to add "Authorization: Basic" for a web service call
by: Ottavio | last post by:
Hello, I'm having some problems with the authentication during a web service call I know I have to add the "Authorization: Basic xxxxxxxx" in the http header (not soap header) but I can't find a...
C# / C Sharp
8
Forms Authentication - Really really basic question
by: =?Utf-8?B?TFc=?= | last post by:
Hello! I am just learning about forms authentication so please excuse this basic question. I am using .NET 1.1 and C#. I have created my web.config file and my login.aspx and the associated cs...
ASP.NET
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!