Safari 12 replaces authorization header

D

2

21

we have a webserver (nginx) https://www.website.com which is protected by a basic authentication. The API https://www.website.com/api does not have a basic authentication!

The problem now is, since Safari 12 (macOS & iOS), the http header set by our javascript application with a Bearer token for /api requests is actually not sent to the server, because it is replaced with the basic token. I can see this in the network tab in the safari developer tools. As mentioned before /api is public and not protected!

Chrome e.g. does sent the correct Bearer token and not the Basic one.

When I remove the basic authentication in the nginx configuration and restart safari, everything works fine and the Bearer token is sent to the api.

It seems that safari 12 just send automatically the basic token along for every request for the domain.

Does anybody have an idea if this is a bug in safari? One solution might that we change the api target from /api to a seperate subdomain like api.website.com.

Thanks for your help.

Divorcement answered 22/9, 2018 at 11:58 Comment(5)

We are getting this also. – Exsert 4/10, 2018 at 16:40

@sven-w did you ever find a work around for this? Or did you stick with adding a subdomain? – Microsecond 4/10, 2018 at 16:43

we now are using a custom http header 'x-auth-token' – Divorcement 6/10, 2018 at 12:13

Do you find any solution to this issue? – Ultrared 5/8, 2019 at 7:55

The solution above works for us since then. – Divorcement 8/8, 2019 at 4:56

L

1

I can tell you that I am seeing the same issue with your proposed "api.website.com" solution. Safari seems to not care about subdomain. It seems to only care about domain.

Lanfranc answered 30/10, 2020 at 20:34 Comment(0)

L

0

I could confirm this is an issue with Safari, no solution I could figure out right now

Larson answered 28/1, 2021 at 14:4 Comment(0)

Recommended topics

Hot tags