We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Vyhľadajte odpoveď

Vyhnite sa podvodom s podporou. Nikdy vás nebudeme žiadať, aby ste zavolali alebo poslali SMS na telefónne číslo alebo zdieľali osobné informácie. Nahláste prosím podozrivú aktivitu použitím voľby “Nahlásiť zneužitie”.

Ďalšie informácie

Firefox 76 doesn't always resend the POST request body after Kerberos authentication

  • 1 odpoveď
  • 1 má tento problém
  • 1 zobrazenie
  • Posledná odpoveď od Roland Tanglao

more options

I develop for an intranet application at work. It is based on ASP.NET Webforms. The production servers have IIS 7 with persistent authentication disabled (Persist-Auth: false), which means that the browser should re-authenticate on every request. For a POST request (full PostBack) with a large enough body, Firefox does not resend the request body anymore as of Firefox 76 (worked with previous versions). I have verified this in Fiddler. Other browsers do not have this issue. This breaks the website because the ViewState is not being sent.

Expected compliant behavior (Chrome does it like this):

  1. Browser sends the request (without authorization header)
  2. Server responds with 401
  3. Browser resends the same complete request, with authorization header
  4. Server responds with 200 + content

Incorrect behaviour in Firefox 76:

  1. Browser sends the request (without authorization header)
  2. Server responds with 401
  3. Browser resends the request with an empty body, with authorization header
  4. Server waits for the body but does not receive it, and the request gets cancelled after 2 minutes. Eventually, the browser displays a 401 Not Authorized error, but with Fiddler running I can see a 408 error with the text: "The request body did not contain the specified number of bytes. Got 0, expected xxx."

Just for fun, this is the non-compliant behavior in IE11 that actually works, unlike Firefox:

  1. Browser sends the request with the authorization header from the previous GET request
  2. Server responds with 200 + content
I develop for an intranet application at work. It is based on ASP.NET Webforms. The production servers have IIS 7 with persistent authentication disabled (Persist-Auth: false), which means that the browser should re-authenticate on every request. For a POST request (full PostBack) with a large enough body, Firefox does not resend the request body anymore as of Firefox 76 (worked with previous versions). I have verified this in Fiddler. Other browsers do not have this issue. This breaks the website because the ViewState is not being sent. Expected compliant behavior (Chrome does it like this): # Browser sends the request (without authorization header) # Server responds with 401 # Browser resends the same complete request, with authorization header # Server responds with 200 + content Incorrect behaviour in Firefox 76: # Browser sends the request (without authorization header) # Server responds with 401 # Browser resends the request with an empty body, with authorization header # Server waits for the body but does not receive it, and the request gets cancelled after 2 minutes. Eventually, the browser displays a 401 Not Authorized error, but with Fiddler running I can see a 408 error with the text: "The request body did not contain the specified number of bytes. Got 0, expected xxx." Just for fun, this is the non-compliant behavior in IE11 that actually works, unlike Firefox: # Browser sends the request with the authorization header from the previous GET request # Server responds with 200 + content

Upravil(a) OronDF343 dňa

Všetky odpovede (1)

more options

Hi OronDF343

This is not a web developer forum; this forum is focused on user questions.

I would file a bug in bugzilla: https://bugzilla.mozilla.org/home or ask a question in stack overflow and tag it firefox https://stackoverflow.com/questions/tagged/firefox


Cheers! ..Roland