Can Javascript do Basic Auth in IE6?

[Dave]

A microsoft security patch disabled URLs of the format

http://username:[email protected]/someresource

There are programmatic ways to get around this but I can't find an
example in Javascript.

I've seen the msdn knowledge base article on the subject

http://support.microsoft.com/kb/834489/

The registry hack is no good for customers. We can't make them edit
their registry.

I think it is possible to access an ActiveX object that will allow the
username and password to be set programatically.

Under IE Javascript is capable of handling ActiveX objects. Is it
possible to access sites with Basic Auth by allowing Javascript to set
the username and password?

Example code would be great.

Thanks for any help!

 

[Hywel Jenkins]

A microsoft security patch disabled URLs of the format

http://username:[email protected]/someresource

There are programmatic ways to get around this but I can't find an
example in Javascript.

I've seen the msdn knowledge base article on the subject

http://support.microsoft.com/kb/834489/

The registry hack is no good for customers. We can't make them edit
their registry.

I think it is possible to access an ActiveX object that will allow the
username and password to be set programatically.

Under IE Javascript is capable of handling ActiveX objects. Is it
possible to access sites with Basic Auth by allowing Javascript to set
the username and password?

Possibly, but what security is there in sending usernames and passwords
to the client, in clear text?

 

[Dave]

Not bullet proof but that is the way some resources protect themselves.

It's still an improvement because the username and password don't appear
in the source of the webpage.

So now, if you want to steal the usename and password you need a proxy
or packet sniffer, not just a browser with a "View Source" option.

In anycase, do you have any information on how it's done?

 

[Nathan]

Do it on the server.

Best way to lock it down is by having either a server-side script to do
authorization, or use a .htaccess file (Apache) to prompt.

 

[Dave]

Do it on the server.

Best way to lock it down is by having either a server-side script to do
authorization, or use a .htaccess file (Apache) to prompt.

Our servers may not have access to the protected resource due to our
customers network topology, firewalls or whatever.

We ned to produce a page that will give our customers direct accccess to
Basic Auth resources. We can't always do it on the server.

In anycase, I finally figured out the code and I'll post the answer
later.

 

[Dave]

Yes it can, in at least one way:

function getDoc(url,username,password){
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");

WinHttpReq.Open("GET", url, false);
WinHttpReq.SetCredentials(username,password,0);
WinHttpReq.Send();
if (WinHttpReq.Status==200){
document.write(WinHttpReq.ResponseText);
}

The above javascript method seems to successfully get a password
protected resource in IE6 that used to be accessible through a URL of
the format

http://username:[email protected]/someresource

before.

any obvious problems with the code?

 

[Grant Wagner]

Yes it can, in at least one way:

function getDoc(url,username,password){
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");

WinHttpReq.Open("GET", url, false);
WinHttpReq.SetCredentials(username,password,0);
WinHttpReq.Send();
if (WinHttpReq.Status==200){
document.write(WinHttpReq.ResponseText);
}

The above javascript method seems to successfully get a password
protected resource in IE6 that used to be accessible through a URL of
the format

http://username:[email protected]/someresource

before.

any obvious problems with the code?

Any obvious problems with the code other than the fact that if you
include the code on a page on your Internet site and attempt to browse
the site with Internet Explorer in the default configuration you get an
"Automation server can't create object" error?