Comments on: iPhone Safari and XmlHttpRequest Authorization-Headers http://devilx.net/2009/10/23/iphone-safari-and-xmlhttprequest-authorization-headers/ Thu, 24 Nov 2011 21:17:44 +0000 hourly 1 http://wordpress.org/?v=3.3 By: Yuri http://devilx.net/2009/10/23/iphone-safari-and-xmlhttprequest-authorization-headers/#comment-11974 Yuri Mon, 25 Apr 2011 15:31:47 +0000 http://www.devilx.net/?p=1026#comment-11974 Thank you man! What is more we use OData which is waiting for Authorization header! Lol! Thank you man! What is more we use OData which is waiting for Authorization header! Lol!

]]> By: Teguh Eko Budiarto http://devilx.net/2009/10/23/iphone-safari-and-xmlhttprequest-authorization-headers/#comment-10171 Teguh Eko Budiarto Mon, 06 Dec 2010 09:54:19 +0000 http://www.devilx.net/?p=1026#comment-10171 Your article saved me a lot of my time. Thank you very much to write this article. Your article saved me a lot of my time. Thank you very much to write this article.

]]> By: Gene G. http://devilx.net/2009/10/23/iphone-safari-and-xmlhttprequest-authorization-headers/#comment-8645 Gene G. Sun, 01 Aug 2010 04:36:25 +0000 http://www.devilx.net/?p=1026#comment-8645 I just ran into this problem myself and before I found your page I actually packet sniffed the HTTP traffic from my iPhone (running 3.1.3). My results match yours: the iPhone (but not my iPad) forcibly removing the Authorization header. For what it's worth, this doesn't seem to be a problem any more in 3.2 or iOS 4. I just ran into this problem myself and before I found your page I actually packet sniffed the HTTP traffic from my iPhone (running 3.1.3). My results match yours: the iPhone (but not my iPad) forcibly removing the Authorization header. For what it’s worth, this doesn’t seem to be a problem any more in 3.2 or iOS 4.

]]> By: Marius M. http://devilx.net/2009/10/23/iphone-safari-and-xmlhttprequest-authorization-headers/#comment-6735 Marius M. Fri, 09 Apr 2010 17:05:47 +0000 http://www.devilx.net/?p=1026#comment-6735 Hi krishan, thank you for the hint, first of all. Well, indeed this could be a solution for avoiding the limitation Apple seems to have built-in to the iPhone - although it's not a very practicable one. Due to the fact that you're actually providing your login credentials via URL, the whole login-procedure becomes worthless, since under specific (pretty easy to accomplish) circumstances those credentials could be read by third-parties. Yet, I'm still searching for a better solution. Hi krishan,

thank you for the hint, first of all. Well, indeed this could be a solution for avoiding the limitation Apple seems to have built-in to the iPhone – although it’s not a very practicable one. Due to the fact that you’re actually providing your login credentials via URL, the whole login-procedure becomes worthless, since under specific (pretty easy to accomplish) circumstances those credentials could be read by third-parties.

Yet, I’m still searching for a better solution.

]]> By: krishnan http://devilx.net/2009/10/23/iphone-safari-and-xmlhttprequest-authorization-headers/#comment-6710 krishnan Thu, 08 Apr 2010 10:36:43 +0000 http://www.devilx.net/?p=1026#comment-6710 Hi , I was able to find a way to solve this problem. Check out this http://for-budding-developers.blogspot.com/2010/04/iphone-web-app-accessing-webservice.html Hi ,

I was able to find a way to solve this problem. Check out this http://for-budding-developers.blogspot.com/2010/04/iphone-web-app-accessing-webservice.html

]]> By: Marius M. http://devilx.net/2009/10/23/iphone-safari-and-xmlhttprequest-authorization-headers/#comment-5148 Marius M. Mon, 08 Feb 2010 07:34:24 +0000 http://www.devilx.net/?p=1026#comment-5148 Hi Jon, Γειά Panagiotis and Hello James, first of all, thank you all for your comments to my post. I'm glad to see not being the only one fighting with this problem. As I've already explained within the post, using my own REST back-end it was simply possible to change the header's name to something that is not being blocked by the mobile Safari from being sent. However, currently I'm fighting the problem again, though now I'm using an Apache 2 as back-end to which I'd like to authorize using HTTP Basic Authentication. Unfortunately, Apple didn't seem to have removed this "feature" of the Authorization header not being sent by iPhone OS 3.1.2. I was searching for a way to "redirect" an incoming X-Authorization or whatever-named header to "Authorization" *before* the Apache actually processes the header, unfortunately I had no success with SetEnvIf and RequestHeader settings in my .htaccess/000-default configuration. Has any of you managed it, to "rewrite" the custom header back to the original "Authorization" header before the Apache actually processes the header-information, so that an iPhone Client could send "Auth" and still would be able to authenticate? :) Here are some of my tries: --- SetEnvIf Auth ^Basic MyAuth RequestHeader add Authorization env=MyAuth --- RequestHeader add Authorization "%{Auth}e" --- SetEnvIf Auth "^(Basic .+)$" myauth RequestHeader unset Authorization early RequestHeader set Authorization env=myauth --- None of them seem to be working on the Apache itself. Maybe, those only work on another Apache that would mod_proxy *before* the actual Apache that provides the authentication? Hm... Hi Jon, Γειά Panagiotis and Hello James,

first of all, thank you all for your comments to my post. I’m glad to see not being the only one fighting with this problem.

As I’ve already explained within the post, using my own REST back-end it was simply possible to change the header’s name to something that is not being blocked by the mobile Safari from being sent.

However, currently I’m fighting the problem again, though now I’m using an Apache 2 as back-end to which I’d like to authorize using HTTP Basic Authentication. Unfortunately, Apple didn’t seem to have removed this “feature” of the Authorization header not being sent by iPhone OS 3.1.2.

I was searching for a way to “redirect” an incoming X-Authorization or whatever-named header to “Authorization” *before* the Apache actually processes the header, unfortunately I had no success with SetEnvIf and RequestHeader settings in my .htaccess/000-default configuration.

Has any of you managed it, to “rewrite” the custom header back to the original “Authorization” header before the Apache actually processes the header-information, so that an iPhone Client could send “Auth” and still would be able to authenticate? :)

Here are some of my tries:


SetEnvIf Auth ^Basic MyAuth
RequestHeader add Authorization env=MyAuth

RequestHeader add Authorization “%{Auth}e”

SetEnvIf Auth “^(Basic .+)$” myauth
RequestHeader unset Authorization early
RequestHeader set Authorization env=myauth

None of them seem to be working on the Apache itself. Maybe, those only work on another Apache that would mod_proxy *before* the actual Apache that provides the authentication? Hm…

]]> By: James Emerton http://devilx.net/2009/10/23/iphone-safari-and-xmlhttprequest-authorization-headers/#comment-5134 James Emerton Sun, 07 Feb 2010 19:51:23 +0000 http://www.devilx.net/?p=1026#comment-5134 I've been doing much the same thing with an Ajax app that authenticates with our REST API using OAuth. I've done some additional research. The <a href="http://www.w3.org/TR/2009/WD-XMLHttpRequest2-20090820/#the-setrequestheader-method" rel="nofollow">current (Aug 2009) version</a> of the XMLHttpRequest spec, Authorization is not in the list of proscribed headers. The <a href="http://www.w3.org/TR/2008/WD-XMLHttpRequest2-20080930/#setrequestheader" rel="nofollow">previous version</a> does specify Authorization as a "secure" header. I'll be implementing a workaround for now, setting both the Authorization and X-Authorization headers. I’ve been doing much the same thing with an Ajax app that authenticates with our REST API using OAuth. I’ve done some additional research.

The current (Aug 2009) version of the XMLHttpRequest spec, Authorization is not in the list of proscribed headers.

The previous version does specify Authorization as a “secure” header.

I’ll be implementing a workaround for now, setting both the Authorization and X-Authorization headers.

]]> By: Panagiotis Astithas http://devilx.net/2009/10/23/iphone-safari-and-xmlhttprequest-authorization-headers/#comment-4847 Panagiotis Astithas Sun, 31 Jan 2010 12:20:41 +0000 http://www.devilx.net/?p=1026#comment-4847 If you go to settings and enable the debugger in Mobile Safari, you will observe an error saying that the browser refused to set unsafe header Authorization. So, it is actually a deliberate action, albeit unusual since RFC 2616 does not appear to require such behavior AFAICT. They are probably concerned about malicious scripts messing with user credentials during authentication. If you go to settings and enable the debugger in Mobile Safari, you will observe an error saying that the browser refused to set unsafe header Authorization. So, it is actually a deliberate action, albeit unusual since RFC 2616 does not appear to require such behavior AFAICT. They are probably concerned about malicious scripts messing with user credentials during authentication.

]]> By: Jon http://devilx.net/2009/10/23/iphone-safari-and-xmlhttprequest-authorization-headers/#comment-4686 Jon Mon, 25 Jan 2010 20:14:38 +0000 http://www.devilx.net/?p=1026#comment-4686 Thank you! You are not the only one trying to get the iPhone to accept the javascript Authorization header. Thank you! You are not the only one trying to get the iPhone to accept the javascript Authorization header.

]]>