From fa04980eea725219904725b7be6483381f8ca83b Mon Sep 17 00:00:00 2001 From: Andrey Churkin Date: Tue, 29 Nov 2016 12:28:38 +0300 Subject: [PATCH] fix: prevent native credentials window (#974) --- src/request-pipeline/header-transforms.js | 3 +++ test/server/auth-test.js | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/request-pipeline/header-transforms.js b/src/request-pipeline/header-transforms.js index 0d702c77f..a77206683 100644 --- a/src/request-pipeline/header-transforms.js +++ b/src/request-pipeline/header-transforms.js @@ -92,6 +92,9 @@ var responseTransforms = { 'x-content-security-policy-report-only': skip, 'x-webkit-csp': skip, + // NOTE: Even if we are not able to be authorized, we should prevent showing the native credentials window. + 'www-authenticate': skip, + // NOTE: We perform CORS checks on our side, so we skip the related headers. 'access-control-allow-origin': skip, diff --git a/test/server/auth-test.js b/test/server/auth-test.js index 02844437e..2db2a3a9f 100644 --- a/test/server/auth-test.js +++ b/test/server/auth-test.js @@ -126,7 +126,8 @@ describe('Authentication', function () { request(proxy.openSession('http://127.0.0.1:1507/', session), function (err, res, body) { expect(body).equal('Access denied'); expect(res.statusCode).equal(401); - + // NOTE: prevent showing the native credentials window. + expect(res.headers['www-authenticate']).to.be.undefined; done(); }); });