Summary

When the username and password are put in the URL, they are not sent across the internet. They are translated by the browser into an Authorization: Basic header. The current behavior of JIRA seems to be: if it receives an os_authType=basic request that already has the Authorization header, without first receiving one that doesn't, it will send you a blank page, but it will set all of your authorization cookies appropriately so that if you refresh, your requested page will load correctly (without prompting you for credentials).

Environment

Cloud - JIRA v1000.789.1

Steps to Reproduce

1. Run:

curl -i https://<instance>.atlassian.net/browse/AD-145?os_authType=basic -H "Authorization: Basic <base64 value>

Expected: Returns the HTML content for issue AD-145
Actual: Returns an HTTP 200 with no content