Skip to main content

Search and Top Navigation

#11223 closed bug (wontfix)

Opened February 25, 2015 10:08AM UTC

Closed February 26, 2015 01:01PM UTC

Last modified June 30, 2015 11:51PM UTC

Tabs not working in firefox with authentication in the URL

Reported by: broesel Owned by:
Priority: minor Milestone: none
Component: ui.tabs Version: 1.11.3
Keywords: Cc:
Blocked by: Blocking:
Description

Don't know if it is a bug in jQuery or Firefox. When opening a webpage with Firefox (checked with 35.01) with user credentials in the URL, the Tab-Widget is broken.

E.g. the tab demo page:

http://test:test@jqueryui.com/resources/demos/tabs/default.html

Attachments (0)
Change History (3)

Changed February 25, 2015 03:02PM UTC by scottgonzalez comment:1

So this happens because Firefox hides the user:pass from the location object. You can actually expect this break in Chrome stable very soon as they already have the same behavior as Firefox in Canary and dev (haven't checked beta). The best solution is for you to just not use URLs like that since it's a pretty terrible authentication method. We'll discuss this and decide if we want to fix this or just encourage users to move away from authentication in URLs.

Changed February 26, 2015 01:01PM UTC by scottgonzalez comment:2

resolution: → wontfix
status: newclosed

The team has decided that we don't want to change the logic to support this because technically we cannot detect this properly (What if some tabs are using authentication and some aren't?). Our recommendation is to stop using this authentication method and switch to a safer form that does not expose the user's credentials in the URL. For those that cannot change the authentication in a timely manner, here's an extension that should work for you:

$.widget( "ui.tabs", $.ui.tabs, {
	_isLocal: function( anchor ) {

		// If there's no hash, it can't be local
		if ( !anchor.hash.length ) {
			return false;
		}

		// http://bugs.jqueryui.com/ticket/11223
		// Intentionally skip hash, username, password
		// href may contain username and password, so we can't use that
		// host, hostname, port, and protocol are all included in origin
		var urlParts = [ "origin", "pathname", "search" ];
		var isLocal = true;

		$.each( urlParts, function( urlPart ) {
			var anchorValue = anchor[ urlPart ];
			var locationValue = location[ urlPart ];

			// Decoding may throw an error if the URL isn't UTF-8 (#9518)
			try {
				anchorValue = decodeURIComponent( anchorValue );
			} catch ( error ) {}
			try {
				locationValue = decodeURIComponent( locationValue );
			} catch ( error ) {}

			if ( anchorValue !== locationValue ) {
				isLocal = false;
				return false;
			}
		});

		return isLocal;
	}
});

Changed June 30, 2015 11:51PM UTC by scottgonzalez comment:3

#13348 is a duplicate of this ticket.