http basic auth popup makes extension unusable

[reox]

I fear there is still a bug related to #370: I have a website which uses http basic auth and when I open it, I get 50+ popups from browserpass. They all hang and display nothing but the window outline. Furthermore, my CPU goes to 100% and the browserpass extension gets unusable.

I believe the issue may be that this page I want to open contains several images which all require the auth. Basically, the rule I set in nginx is:

server {
    [...]
    auth_basic            "Restricted Access";
    auth_basic_user_file  htpasswd;
    [...]
}

[maximbaz]

Interesting use case, we should prevent multiple popups for the same tab or host! Thanks for sharing!

[reox]

Interesting use case, we should prevent multiple popups for the same tab or host! Thanks for sharing!

I guess that that could already solve the issue!

[patgmiller]

@reox could you possibly share a screen recording of this? In case it helps, I use this extension for mine, https://chromewebstore.google.com/detail/screen-recorder/hniebljpgcogalllopnjokppmgbhaden

Or even the url and or console log of the service worker when this happens? It would help immensely it identifying the issue, thanks.

[reox]

Here is a recording:

Recording.mp4

I access it from a bookmark and the lines you see are just <hr>. It is basically a dashboard that shows a lot of plots...
You can see it takes a while until the first popup pops up.

But I think it may be a bit hard to replicate. I setup a demo site here: https://demo.reox.at username "demo", password "password".
However, I was not able to trigger it so far. I think the issue may be that the browser somehow caches the HTML and knows that there are a ton of images it should load. However, if you never visited the site before, it cannot know that there are images to load.
Thus, I think this only triggers when the browser knows that there are things to load - does that makes sense?

[AnrDaemon]

For what it's worth, Vivaldi prevents extensions from interacting with HTTP auth request window.

[maximbaz]

Uhh, thanks for the info, not sure if we'll be able to do anything about that, but it's good to know...

[reox]

Interessting: Now (after a reboot and firefox update) I only get a single browserpass popup. I can close it and enter the credentials and everything works...
I guess it may simply be a weird edge case were the browser has some information cached?

[patgmiller]

Interessting: Now (after a reboot and firefox update) I only get a single browserpass popup. I can close it and enter the credentials and everything works... I guess it may simply be a weird edge case were the browser has some information cached?

Thank you @reox for the updated information. I was getting ready to look at it this weekend. If it resurfaces I'll be happy to try to duplicate and resolve it.

[reox]

So far, I did not had the problem again. I can imagine it is a combination of having the page in the browser cache but not the credentials and upgrading the extension at the same time.
I wasn't able to reproduce it so far.
From my point of view you may close the issue, but if you think it may be a deeper problem, I can try to reproduce it once more.

[allo-]

I just came here to open an issue to ask for a preference to disable httpauth dialogs. The UI is kinda modal (I think less than the actual httpauth password dialog) and gets in the way when you want to login with a password that isn't stored in (browser)pass. Now I always have to close the browserpass window first.

For my part, I just want a checkbox to disable browserpass for httpauth. I could imagine that this could be handled by a more passive UI, but it's probably hard to manage without knowing if the user wants to login with browserpass, by typing the password, or by using Firefox's password manager, so a feature to just disable it when you don't need/want it would be good anyway.

[maximbaz]

Could you please open a separate issue for this? I'd like to understand more what makes you prefer to use e.g. Firefox password manager for some portion of websites as opposed to using browserpass for everything. Thanks!

[reox]

It happened again today! But I'm still not sure how to reproduce it... Could be the case that it is caused when the website is opened via a bookmark?
Because I can see the HTML page without the images, before the http basic auth shows up - thus the browser has cached the HTML somehow.

[patgmiller]

It happened again today! But I'm still not sure how to reproduce it... Could be the case that it is caused when the website is opened via a bookmark? Because I can see the HTML page without the images, before the http basic auth shows up - thus the browser has cached the HTML somehow.

@reox is the URL of that site publicly accessible something we can use to attempt to reproduce it?

[reox]

@patgmiller The particular site I'm using is internal - however I set up the demo page with the same settings on nginx:

https://demo.reox.at/ username "demo", password "password".

I added it now to my bookmarks and will try to replicate it there as well!

[reox]

Actually, I can reproduce it! I added the demo page to my bookmark list and opened it after some hours. I can see that some of the photos load but then I get several pop-ups from browserpass. It is not that severe than on my other page but I think it shows the problem.

[patgmiller]

okay, thanks @reox for your help in reproducing the issue, I will see what I can figure out with it.

[AnrDaemon]

In fact… I can reproduce it too. My issue is complicated, that's why I wasn't sure of the origin for so long.
The full explanation:

1. SwitchyOmega (automatic proxy switcher, thanks to all the idiots in the internet)
2. Remote HTTPS proxy with authentication.
3. A number of open tabs that go through proxy.
4. When the browser starts, the proxy password is not sent outright (for security reasons), first time it is accessed without one to see if it is actually needed.
5. The browserpass extension popup window comes up for each request that ends in 401.
6. See above, Vivaldi explicitly blocks access to HTTP authentication request dialog.