Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#11223 closed bug (wontfix)

Tabs not working in firefox with authentication in the URL

Reported by: broesel Owned by:
Priority: minor Milestone: none
Component: ui.tabs Version: 1.11.3
Keywords: Cc:
Blocked by: Blocking:


Don't know if it is a bug in jQuery or Firefox. When opening a webpage with Firefox (checked with 35.01) with user credentials in the URL, the Tab-Widget is broken.

E.g. the tab demo page:

Change History (3)

comment:1 Changed 5 years ago by Scott González

So this happens because Firefox hides the user:pass from the location object. You can actually expect this break in Chrome stable very soon as they already have the same behavior as Firefox in Canary and dev (haven't checked beta). The best solution is for you to just not use URLs like that since it's a pretty terrible authentication method. We'll discuss this and decide if we want to fix this or just encourage users to move away from authentication in URLs.

comment:2 Changed 5 years ago by Scott González

Resolution: wontfix
Status: newclosed

The team has decided that we don't want to change the logic to support this because technically we cannot detect this properly (What if some tabs are using authentication and some aren't?). Our recommendation is to stop using this authentication method and switch to a safer form that does not expose the user's credentials in the URL. For those that cannot change the authentication in a timely manner, here's an extension that should work for you:

$.widget( "ui.tabs", $.ui.tabs, {
	_isLocal: function( anchor ) {

		// If there's no hash, it can't be local
		if ( !anchor.hash.length ) {
			return false;

		// Intentionally skip hash, username, password
		// href may contain username and password, so we can't use that
		// host, hostname, port, and protocol are all included in origin
		var urlParts = [ "origin", "pathname", "search" ];
		var isLocal = true;

		$.each( urlParts, function( urlPart ) {
			var anchorValue = anchor[ urlPart ];
			var locationValue = location[ urlPart ];

			// Decoding may throw an error if the URL isn't UTF-8 (#9518)
			try {
				anchorValue = decodeURIComponent( anchorValue );
			} catch ( error ) {}
			try {
				locationValue = decodeURIComponent( locationValue );
			} catch ( error ) {}

			if ( anchorValue !== locationValue ) {
				isLocal = false;
				return false;

		return isLocal;

comment:3 Changed 5 years ago by Scott González

#13348 is a duplicate of this ticket.

Note: See TracTickets for help on using tickets.