fix: prevent native credentials window (#974)

DevExpress · Nov 29, 2016 · fa04980 · fa04980
1 parent bb719bd
commit fa04980
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/src/request-pipeline/header-transforms.js b/src/request-pipeline/header-transforms.js
@@ -92,6 +92,9 @@ var responseTransforms = {
     'x-content-security-policy-report-only': skip,
     'x-webkit-csp':                          skip,
 
+    // NOTE: Even if we are not able to be authorized, we should prevent showing the native credentials window.
+    'www-authenticate': skip,
+
     // NOTE: We perform CORS checks on our side, so we skip the related headers.
     'access-control-allow-origin': skip,
 

diff --git a/test/server/auth-test.js b/test/server/auth-test.js
@@ -126,7 +126,8 @@ describe('Authentication', function () {
             request(proxy.openSession('http://127.0.0.1:1507/', session), function (err, res, body) {
                 expect(body).equal('Access denied');
                 expect(res.statusCode).equal(401);
-
+                // NOTE: prevent showing the native credentials window.
+                expect(res.headers['www-authenticate']).to.be.undefined;
                 done();
             });
         });