Accept header authentication factor unreliable with Mozilla based browsers

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Medium
    • 0.4
    • Affects Version/s: 0.1, 0.2, 0.3, 0.3.1, 0.3.2, 0.3.3
    • Component/s: None
    • None
    • Environment:

      Firefox 1.5, Firefox 2.0, Camino

      The use of the HTTP accept header as an authentication factor is unreliable when Mozilla based browsers are used.

      By default Mozilla based browsers will send an accept header similar to the following:

      Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

      However this changes when requesting an image embedded via the HTML IMG element

      Accept: image/png,*/*;q=0.5

      It's also worth noting that Firefox will request javascript sourced via a SCRIPT element with

      Accept: */*

      I think in light of this, the use of the accept header as an authentication factor isn't very reliable as the semantics of this header means it may vary at will.

              Assignee:
              Unassigned
              Reporter:
              Christopher Owen [Atlassian]
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: