https://bugs.webkit.org/show_bug.cgi?id=66354 and <rdar://problem/9965209>

Regression: On Lion, redirects lose HTTP authentication headers Source/WebCore: Reviewed by Alexey Proskuryakov and Darin Adler. This changes makes WebCore try to apply basic credentials after a redirect if the redirect is to the same origin, assuming the redirected URL did not contain credentials directly. Tests: http/tests/misc/authentication-redirect-1/authentication-sent-to-redirect-cross-origin.html http/tests/misc/authentication-redirect-2/authentication-sent-to-redirect-same-origin.html http/tests/misc/authentication-redirect-3/authentication-sent-to-redirect-same-origin-with-location-credentials.html * platform/network/cf/ResourceHandleCFNet.cpp: (WebCore::applyBasicAuthorizationHeader): Apply the user/password from a credential to the HTTP headers for a request. (WebCore::ResourceHandle::createCFURLConnection): Use the applyBasicAuthorizationHeader helper. (WebCore::ResourceHandle::willSendRequest): If this is a redirect within the same origin, apply any stored target credentials to the new request. * platform/network/mac/ResourceHandleMac.mm: (WebCore::applyBasicAuthorizationHeader): Apply the user/password from a credential to the HTTP headers for a request. (WebCore::ResourceHandle::createNSURLConnection): Use the applyBasicAuthorizationHeader helper. (WebCore::ResourceHandle::willSendRequest): If this is a redirect within the same origin, apply any stored target credentials to the new request. LayoutTests: These have to be in different paths to prevent credentials from leaking over from test to test. Sad sad sad... Reviewed by Alexey Proskuryakov. * http/tests/misc/authentication-redirect-1: Added. * http/tests/misc/authentication-redirect-1/authentication-sent-to-redirect-cross-origin-expected.txt: Copied from LayoutTests/http/tests/misc/authentication-sent-to-redirect-expected.txt. * http/tests/misc/authentication-redirect-1/authentication-sent-to-redirect-cross-origin.html: Copied from LayoutTests/http/tests/misc/authentication-sent-to-redirect.html. * http/tests/misc/authentication-redirect-1/resources: Added. * http/tests/misc/authentication-redirect-1/resources/auth-echo.php: Copied from LayoutTests/http/tests/misc/resources/auth-echo.php. * http/tests/misc/authentication-redirect-1/resources/auth-then-redirect.php: Copied from LayoutTests/http/tests/misc/resources/auth-then-redirect.php. * http/tests/misc/authentication-redirect-2: Added. * http/tests/misc/authentication-redirect-2/authentication-sent-to-redirect-same-origin-expected.txt: Added. * http/tests/misc/authentication-redirect-2/authentication-sent-to-redirect-same-origin.html: Added. * http/tests/misc/authentication-redirect-2/resources: Added. * http/tests/misc/authentication-redirect-2/resources/auth-echo.php: Copied from LayoutTests/http/tests/misc/resources/auth-echo.php. * http/tests/misc/authentication-redirect-2/resources/auth-then-redirect.php: Copied from LayoutTests/http/tests/misc/resources/auth-then-redirect.php. * http/tests/misc/authentication-redirect-3: Added. * http/tests/misc/authentication-redirect-3/authentication-sent-to-redirect-same-origin-with-location-credentials-expected.txt: Added. * http/tests/misc/authentication-redirect-3/authentication-sent-to-redirect-same-origin-with-location-credentials.html: Added. * http/tests/misc/authentication-redirect-3/resources: Added. * http/tests/misc/authentication-redirect-3/resources/auth-echo.php: Copied from LayoutTests/http/tests/misc/resources/auth-echo.php. * http/tests/misc/authentication-redirect-3/resources/auth-then-redirect-with-url-credentials.php: Added. * http/tests/misc/authentication-redirect-3/resources/auth-then-redirect.php: Copied from LayoutTests/http/tests/misc/resources/auth-then-redirect.php. * http/tests/misc/authentication-sent-to-redirect-expected.txt: Removed. * http/tests/misc/authentication-sent-to-redirect.html: Removed. * http/tests/misc/resources/auth-echo.php: Removed. * http/tests/misc/resources/auth-then-redirect.php: Removed. git-svn-id: svn://svn.chromium.org/blink/trunk@93247 bbb929c8-8fbe-4397-9dbb-9b2b20218538

https://bugs.webkit.org/show_bug.cgi?id=66354 and <rdar://problem/9965209>
Regression: On Lion, redirects lose HTTP authentication headers Source/WebCore: Reviewed by Alexey Proskuryakov and Darin Adler. This changes makes WebCore try to apply basic credentials after a redirect if the redirect is to the same origin, assuming the redirected URL did not contain credentials directly. Tests: http/tests/misc/authentication-redirect-1/authentication-sent-to-redirect-cross-origin.html http/tests/misc/authentication-redirect-2/authentication-sent-to-redirect-same-origin.html http/tests/misc/authentication-redirect-3/authentication-sent-to-redirect-same-origin-with-location-credentials.html * platform/network/cf/ResourceHandleCFNet.cpp: (WebCore::applyBasicAuthorizationHeader): Apply the user/password from a credential to the HTTP headers for a request. (WebCore::ResourceHandle::createCFURLConnection): Use the applyBasicAuthorizationHeader helper. (WebCore::ResourceHandle::willSendRequest): If this is a redirect within the same origin, apply any stored target credentials to the new request. * platform/network/mac/ResourceHandleMac.mm: (WebCore::applyBasicAuthorizationHeader): Apply the user/password from a credential to the HTTP headers for a request. (WebCore::ResourceHandle::createNSURLConnection): Use the applyBasicAuthorizationHeader helper. (WebCore::ResourceHandle::willSendRequest): If this is a redirect within the same origin, apply any stored target credentials to the new request. LayoutTests: These have to be in different paths to prevent credentials from leaking over from test to test. Sad sad sad... Reviewed by Alexey Proskuryakov. * http/tests/misc/authentication-redirect-1: Added. * http/tests/misc/authentication-redirect-1/authentication-sent-to-redirect-cross-origin-expected.txt: Copied from LayoutTests/http/tests/misc/authentication-sent-to-redirect-expected.txt. * http/tests/misc/authentication-redirect-1/authentication-sent-to-redirect-cross-origin.html: Copied from LayoutTests/http/tests/misc/authentication-sent-to-redirect.html. * http/tests/misc/authentication-redirect-1/resources: Added. * http/tests/misc/authentication-redirect-1/resources/auth-echo.php: Copied from LayoutTests/http/tests/misc/resources/auth-echo.php. * http/tests/misc/authentication-redirect-1/resources/auth-then-redirect.php: Copied from LayoutTests/http/tests/misc/resources/auth-then-redirect.php. * http/tests/misc/authentication-redirect-2: Added. * http/tests/misc/authentication-redirect-2/authentication-sent-to-redirect-same-origin-expected.txt: Added. * http/tests/misc/authentication-redirect-2/authentication-sent-to-redirect-same-origin.html: Added. * http/tests/misc/authentication-redirect-2/resources: Added. * http/tests/misc/authentication-redirect-2/resources/auth-echo.php: Copied from LayoutTests/http/tests/misc/resources/auth-echo.php. * http/tests/misc/authentication-redirect-2/resources/auth-then-redirect.php: Copied from LayoutTests/http/tests/misc/resources/auth-then-redirect.php. * http/tests/misc/authentication-redirect-3: Added. * http/tests/misc/authentication-redirect-3/authentication-sent-to-redirect-same-origin-with-location-credentials-expected.txt: Added. * http/tests/misc/authentication-redirect-3/authentication-sent-to-redirect-same-origin-with-location-credentials.html: Added. * http/tests/misc/authentication-redirect-3/resources: Added. * http/tests/misc/authentication-redirect-3/resources/auth-echo.php: Copied from LayoutTests/http/tests/misc/resources/auth-echo.php. * http/tests/misc/authentication-redirect-3/resources/auth-then-redirect-with-url-credentials.php: Added. * http/tests/misc/authentication-redirect-3/resources/auth-then-redirect.php: Copied from LayoutTests/http/tests/misc/resources/auth-then-redirect.php. * http/tests/misc/authentication-sent-to-redirect-expected.txt: Removed. * http/tests/misc/authentication-sent-to-redirect.html: Removed. * http/tests/misc/resources/auth-echo.php: Removed. * http/tests/misc/resources/auth-then-redirect.php: Removed. git-svn-id: svn://svn.chromium.org/blink/trunk@93247 bbb929c8-8fbe-4397-9dbb-9b2b20218538
b816ac63 · beidson@apple.com · 603a8ea3 · b816ac63 · b816ac63 · b816ac63
Commit b816ac63 authored Aug 17, 2011 by beidson@apple.com
17 changed files
--- a/third_party/WebKit/LayoutTests/ChangeLog
+++ b/third_party/WebKit/LayoutTests/ChangeLog
+2011-08-17  Brady Eidson  <beidson@apple.com>
+        https://bugs.webkit.org/show_bug.cgi?id=66354 and <rdar://problem/9965209>
+        Regression:  On Lion, redirects lose HTTP authentication headers
+        These have to be in different paths to prevent credentials from leaking over from test to test.
+        Sad sad sad...
+        Reviewed by Alexey Proskuryakov.
+        * http/tests/misc/authentication-redirect-1: Added.
+        * http/tests/misc/authentication-redirect-1/authentication-sent-to-redirect-cross-origin-expected.txt: Copied from LayoutTests/http/tests/misc/authentication-sent-to-redirect-expected.txt.
+        * http/tests/misc/authentication-redirect-1/authentication-sent-to-redirect-cross-origin.html: Copied from LayoutTests/http/tests/misc/authentication-sent-to-redirect.html.
+        * http/tests/misc/authentication-redirect-1/resources: Added.
+        * http/tests/misc/authentication-redirect-1/resources/auth-echo.php: Copied from LayoutTests/http/tests/misc/resources/auth-echo.php.
+        * http/tests/misc/authentication-redirect-1/resources/auth-then-redirect.php: Copied from LayoutTests/http/tests/misc/resources/auth-then-redirect.php.
+        * http/tests/misc/authentication-redirect-2: Added.
+        * http/tests/misc/authentication-redirect-2/authentication-sent-to-redirect-same-origin-expected.txt: Added.
+        * http/tests/misc/authentication-redirect-2/authentication-sent-to-redirect-same-origin.html: Added.
+        * http/tests/misc/authentication-redirect-2/resources: Added.
+        * http/tests/misc/authentication-redirect-2/resources/auth-echo.php: Copied from LayoutTests/http/tests/misc/resources/auth-echo.php.
+        * http/tests/misc/authentication-redirect-2/resources/auth-then-redirect.php: Copied from LayoutTests/http/tests/misc/resources/auth-then-redirect.php.
+        * http/tests/misc/authentication-redirect-3: Added.
+        * http/tests/misc/authentication-redirect-3/authentication-sent-to-redirect-same-origin-with-location-credentials-expected.txt: Added.
+        * http/tests/misc/authentication-redirect-3/authentication-sent-to-redirect-same-origin-with-location-credentials.html: Added.
+        * http/tests/misc/authentication-redirect-3/resources: Added.
+        * http/tests/misc/authentication-redirect-3/resources/auth-echo.php: Copied from LayoutTests/http/tests/misc/resources/auth-echo.php.
+        * http/tests/misc/authentication-redirect-3/resources/auth-then-redirect-with-url-credentials.php: Added.
+        * http/tests/misc/authentication-redirect-3/resources/auth-then-redirect.php: Copied from LayoutTests/http/tests/misc/resources/auth-then-redirect.php.
+        * http/tests/misc/authentication-sent-to-redirect-expected.txt: Removed.
+        * http/tests/misc/authentication-sent-to-redirect.html: Removed.
+        * http/tests/misc/resources/auth-echo.php: Removed.
+        * http/tests/misc/resources/auth-then-redirect.php: Removed.
 2011-08-17  Ryosuke Niwa  <rniwa@webkit.org>
        Dump-as-markup conversion: editing/inserting/insert-3786362-fix.html
--- a/third_party/WebKit/LayoutTests/http/tests/misc/authentication-sent-to-redirect-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/misc/authentication-sent-to-redirect-expected.txt
 <unknown> - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
 https://bugs.webkit.org/show_bug.cgi?id=40138
-This test loads a php script which demands http authentication, then uses it to redirect to another script using that shows what authentication headers were sent with the final request.
+You should load this page at 127.0.0.1:8000 so localhost:8000 is considered a different security origin.
+This test loads a php script which demands http authentication, then uses it to redirect to another script in a different origin that shows what authentication headers were sent with the final request.
 It does this once each for HTTP 301, 302, 303, and 307 redirects.
 If not running under DRT, enter any credentials when asked.

--- a/third_party/WebKit/LayoutTests/http/tests/misc/authentication-sent-to-redirect.html
+++ b/third_party/WebKit/LayoutTests/http/tests/misc/authentication-sent-to-redirect.html
@@ -30,7 +30,7 @@ if (window.layoutTestController) {
 function appendFrame(code)
 {
    i = document.createElement("iframe"); 
-    i.setAttribute("src", "http://localhost:8000/misc/resources/auth-then-redirect.php?redirect=" + code); 
+    i.setAttribute("src", "http://localhost:8000/misc/authentication-redirect-1/resources/auth-then-redirect.php?redirect=" + code); 
    i.setAttribute("onload", "frameLoaded()");
    document.body.appendChild(i);
 }
@@ -39,7 +39,8 @@ function appendFrame(code)
 <body onload="appendFrame('301');">
 https://bugs.webkit.org/show_bug.cgi?id=40138<br>
-This test loads a php script which demands http authentication, then uses it to redirect to another script using that shows what authentication headers were sent with the final request.<br>
+You should load this page at 127.0.0.1:8000 so localhost:8000 is considered a different security origin.<br>
+This test loads a php script which demands http authentication, then uses it to redirect to another script in a different origin that shows what authentication headers were sent with the final request.<br>
 It does this once each for HTTP 301, 302, 303, and 307 redirects.<br>
 If not running under DRT, enter any credentials when asked.<br>
 </body>

--- a/third_party/WebKit/LayoutTests/http/tests/misc/resources/auth-echo.php
+++ b/third_party/WebKit/LayoutTests/http/tests/misc/resources/auth-echo.php
--- a/third_party/WebKit/LayoutTests/http/tests/misc/resources/auth-then-redirect.php
+++ b/third_party/WebKit/LayoutTests/http/tests/misc/resources/auth-then-redirect.php
@@ -12,7 +12,7 @@ if (!strlen($_SERVER["PHP_AUTH_USER"]) || !strlen($_SERVER["PHP_AUTH_PW"]))
 $redirect_codes=array("301", "302", "303", "307");
 if (in_array($_GET["redirect"], $redirect_codes))
 {
-    header("Location: http://127.0.0.1:8000/misc/resources/auth-echo.php", true, $_GET["redirect"]);
+    header("Location: http://127.0.0.1:8000/misc/authentication-redirect-1/resources/auth-echo.php", true, $_GET["redirect"]);
    exit;
 }

--- a/third_party/WebKit/LayoutTests/http/tests/misc/authentication-redirect-2/authentication-sent-to-redirect-same-origin-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/misc/authentication-redirect-2/authentication-sent-to-redirect-same-origin-expected.txt
+<unknown> - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+https://bugs.webkit.org/show_bug.cgi?id=66354
+You should load this page at 127.0.0.1:8000 because the test relies on redirects within the 127.0.0.1:8000 security origin.
+This test loads a php script which demands http authentication, then uses it to redirect to another script in the same origin that shows what authentication headers were sent with the final request.
+It does this once each for HTTP 301, 302, 303, and 307 redirects.
+If not running under DRT, enter any credentials when asked.
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+Resource loaded with HTTP authentication username 'testUser' and password 'testPassword'
+--------
+Frame: '<!--framePath //<!--frame1-->-->'
+--------
+Resource loaded with HTTP authentication username 'testUser' and password 'testPassword'
+--------
+Frame: '<!--framePath //<!--frame2-->-->'
+--------
+Resource loaded with HTTP authentication username 'testUser' and password 'testPassword'
+--------
+Frame: '<!--framePath //<!--frame3-->-->'
+--------
+Resource loaded with HTTP authentication username 'testUser' and password 'testPassword'
--- a/third_party/WebKit/LayoutTests/http/tests/misc/authentication-redirect-2/authentication-sent-to-redirect-same-origin.html
+++ b/third_party/WebKit/LayoutTests/http/tests/misc/authentication-redirect-2/authentication-sent-to-redirect-same-origin.html
+<script>
+var framesLoaded = 0;
+var redirectCodes = new Array();
+redirectCodes[0] = "301";
+redirectCodes[1] = "302";
+redirectCodes[2] = "303";
+redirectCodes[3] = "307";
+function frameLoaded()
+{
+    if (++framesLoaded == 4) {
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+        return;
+    }
+    appendFrame(redirectCodes[framesLoaded]);
+}
+if (window.layoutTestController) {
+    layoutTestController.waitUntilDone();
+    layoutTestController.dumpAsText();
+    layoutTestController.dumpChildFramesAsText();
+    layoutTestController.setHandlesAuthenticationChallenges(true);
+    layoutTestController.setAuthenticationUsername("testUser");
+    layoutTestController.setAuthenticationPassword("testPassword");
+}
+function appendFrame(code)
+{
+    i = document.createElement("iframe"); 
+    i.setAttribute("src", "http://127.0.0.1:8000/misc/authentication-redirect-2/resources/auth-then-redirect.php?redirect=" + code); 
+    i.setAttribute("onload", "frameLoaded()");
+    document.body.appendChild(i);
+}
+</script>
+<body onload="appendFrame('301');">
+https://bugs.webkit.org/show_bug.cgi?id=66354<br>
+You should load this page at 127.0.0.1:8000 because the test relies on redirects within the 127.0.0.1:8000 security origin.<br>
+This test loads a php script which demands http authentication, then uses it to redirect to another script in the same origin that shows what authentication headers were sent with the final request.<br>
+It does this once each for HTTP 301, 302, 303, and 307 redirects.<br>
+If not running under DRT, enter any credentials when asked.<br>
+</body>
--- a/third_party/WebKit/LayoutTests/http/tests/misc/authentication-redirect-2/resources/auth-echo.php
+++ b/third_party/WebKit/LayoutTests/http/tests/misc/authentication-redirect-2/resources/auth-echo.php
+<?php
+echo "Resource loaded with HTTP authentication username '", $_SERVER["PHP_AUTH_USER"], "' and password '", $_SERVER["PHP_AUTH_PW"], "'\n";
+?>
--- a/third_party/WebKit/LayoutTests/http/tests/misc/authentication-redirect-2/resources/auth-then-redirect.php
+++ b/third_party/WebKit/LayoutTests/http/tests/misc/authentication-redirect-2/resources/auth-then-redirect.php
+<?php
+// prompt for login if not already present
+if (!strlen($_SERVER["PHP_AUTH_USER"]) || !strlen($_SERVER["PHP_AUTH_PW"]))
+{
+    header("WWW-Authenticate: Basic realm=\"WebKit Bug Test\"");
+    header("HTTP/1.0 401 Unauthorized");
+    exit;
+}
+// do redirect if called for
+$redirect_codes=array("301", "302", "303", "307");
+if (in_array($_GET["redirect"], $redirect_codes))
+{
+    header("Location: http://127.0.0.1:8000/misc/authentication-redirect-2/resources/auth-echo.php", true, $_GET["redirect"]);
+    exit;
+}
+echo "Unknown redirect parameter sent";
+?>
--- a/third_party/WebKit/LayoutTests/http/tests/misc/authentication-redirect-3/authentication-sent-to-redirect-same-origin-with-location-credentials-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/misc/authentication-redirect-3/authentication-sent-to-redirect-same-origin-with-location-credentials-expected.txt
+https://bugs.webkit.org/show_bug.cgi?id=66354
+You should load this page at 127.0.0.1:8000 because the test relies on redirects within the 127.0.0.1:8000 security origin.
+This test loads a php script which demands http authentication, then uses it to redirect to another script in the same origin that shows what authentication headers were sent with the final request.
+The redirect includes credentials in the location url, and they should be preferred over credentials that WebCore has cached.
+It does this once each for HTTP 301, 302, 303, and 307 redirects.
+If not running under DRT, enter any credentials when asked.
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+Resource loaded with HTTP authentication username 'redirectuser' and password 'redirectpassword'
+--------
+Frame: '<!--framePath //<!--frame1-->-->'
+--------
+Resource loaded with HTTP authentication username 'redirectuser' and password 'redirectpassword'
+--------
+Frame: '<!--framePath //<!--frame2-->-->'
+--------
+Resource loaded with HTTP authentication username 'redirectuser' and password 'redirectpassword'
+--------
+Frame: '<!--framePath //<!--frame3-->-->'
+--------
+Resource loaded with HTTP authentication username 'redirectuser' and password 'redirectpassword'
--- a/third_party/WebKit/LayoutTests/http/tests/misc/authentication-redirect-3/authentication-sent-to-redirect-same-origin-with-location-credentials.html
+++ b/third_party/WebKit/LayoutTests/http/tests/misc/authentication-redirect-3/authentication-sent-to-redirect-same-origin-with-location-credentials.html
+<script>
+var framesLoaded = 0;
+var redirectCodes = new Array();
+redirectCodes[0] = "301";
+redirectCodes[1] = "302";
+redirectCodes[2] = "303";
+redirectCodes[3] = "307";
+function frameLoaded()
+{
+    if (++framesLoaded == 4) {
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+        return;
+    }
+    appendFrame(redirectCodes[framesLoaded]);
+}
+if (window.layoutTestController) {
+    layoutTestController.waitUntilDone();
+    layoutTestController.dumpAsText();
+    layoutTestController.dumpChildFramesAsText();
+    layoutTestController.setHandlesAuthenticationChallenges(true);
+    layoutTestController.setAuthenticationUsername("testUser");
+    layoutTestController.setAuthenticationPassword("testPassword");
+}
+function appendFrame(code)
+{
+    i = document.createElement("iframe"); 
+    i.setAttribute("src", "http://127.0.0.1:8000/misc/authentication-redirect-3/resources/auth-then-redirect-with-url-credentials.php?redirect=" + code); 
+    i.setAttribute("onload", "frameLoaded()");
+    document.body.appendChild(i);
+}
+</script>
+<body onload="appendFrame('301');">
+https://bugs.webkit.org/show_bug.cgi?id=66354<br>
+You should load this page at 127.0.0.1:8000 because the test relies on redirects within the 127.0.0.1:8000 security origin.<br>
+This test loads a php script which demands http authentication, then uses it to redirect to another script in the same origin that shows what authentication headers were sent with the final request.<br>
+The redirect includes credentials in the location url, and they should be preferred over credentials that WebCore has cached.<br>
+It does this once each for HTTP 301, 302, 303, and 307 redirects.<br>
+If not running under DRT, enter any credentials when asked.<br>
+</body>
--- a/third_party/WebKit/LayoutTests/http/tests/misc/authentication-redirect-3/resources/auth-echo.php
+++ b/third_party/WebKit/LayoutTests/http/tests/misc/authentication-redirect-3/resources/auth-echo.php
+<?php
+echo "Resource loaded with HTTP authentication username '", $_SERVER["PHP_AUTH_USER"], "' and password '", $_SERVER["PHP_AUTH_PW"], "'\n";
+?>
--- a/third_party/WebKit/LayoutTests/http/tests/misc/authentication-redirect-3/resources/auth-then-redirect-with-url-credentials.php
+++ b/third_party/WebKit/LayoutTests/http/tests/misc/authentication-redirect-3/resources/auth-then-redirect-with-url-credentials.php
+<?php
+// prompt for login if not already present
+if (!strlen($_SERVER["PHP_AUTH_USER"]) || !strlen($_SERVER["PHP_AUTH_PW"]))
+{
+    header("WWW-Authenticate: Basic realm=\"WebKit Bug Test\"");
+    header("HTTP/1.0 401 Unauthorized");
+    exit;
+}
+// do redirect if called for
+$redirect_codes=array("301", "302", "303", "307");
+if (in_array($_GET["redirect"], $redirect_codes))
+{
+    header("Location: http://redirectuser:redirectpassword@127.0.0.1:8000/misc/authentication-redirect-3/resources/auth-then-redirect.php?redirect=" . $_GET["redirect"], true, $_GET["redirect"]);
+    exit;
+}
+echo "Unknown redirect parameter sent";
+?>
--- a/third_party/WebKit/LayoutTests/http/tests/misc/authentication-redirect-3/resources/auth-then-redirect.php
+++ b/third_party/WebKit/LayoutTests/http/tests/misc/authentication-redirect-3/resources/auth-then-redirect.php
+<?php
+// prompt for login if not already present
+if (!strlen($_SERVER["PHP_AUTH_USER"]) || !strlen($_SERVER["PHP_AUTH_PW"]))
+{
+    header("WWW-Authenticate: Basic realm=\"WebKit Bug Test\"");
+    header("HTTP/1.0 401 Unauthorized");
+    exit;
+}
+// do redirect if called for
+$redirect_codes=array("301", "302", "303", "307");
+if (in_array($_GET["redirect"], $redirect_codes))
+{
+    header("Location: http://127.0.0.1:8000/misc/authentication-redirect-3/resources/auth-echo.php", true, $_GET["redirect"]);
+    exit;
+}
+echo "Unknown redirect parameter sent";
+?>
--- a/third_party/WebKit/Source/WebCore/ChangeLog
+++ b/third_party/WebKit/Source/WebCore/ChangeLog
+2011-08-17  Brady Eidson  <beidson@apple.com>
+        https://bugs.webkit.org/show_bug.cgi?id=66354 and <rdar://problem/9965209>
+        Regression:  On Lion, redirects lose HTTP authentication headers
+        Reviewed by Alexey Proskuryakov and Darin Adler.
+        This changes makes WebCore try to apply basic credentials after a redirect if the redirect is to the same origin,
+        assuming the redirected URL did not contain credentials directly.
+        Tests: http/tests/misc/authentication-redirect-1/authentication-sent-to-redirect-cross-origin.html
+               http/tests/misc/authentication-redirect-2/authentication-sent-to-redirect-same-origin.html
+               http/tests/misc/authentication-redirect-3/authentication-sent-to-redirect-same-origin-with-location-credentials.html
+        * platform/network/cf/ResourceHandleCFNet.cpp:
+        (WebCore::applyBasicAuthorizationHeader): Apply the user/password from a credential to the HTTP headers for a request.
+        (WebCore::ResourceHandle::createCFURLConnection): Use the applyBasicAuthorizationHeader helper.
+        (WebCore::ResourceHandle::willSendRequest): If this is a redirect within the same origin, apply any stored target credentials to the new request.
+        * platform/network/mac/ResourceHandleMac.mm:
+        (WebCore::applyBasicAuthorizationHeader): Apply the user/password from a credential to the HTTP headers for a request.
+        (WebCore::ResourceHandle::createNSURLConnection): Use the applyBasicAuthorizationHeader helper.
+        (WebCore::ResourceHandle::willSendRequest): If this is a redirect within the same origin, apply any stored target credentials to the new request.
 2011-08-17  Chris Fleizach  <cfleizach@apple.com>
        Accessibility stack exhaustion using role attribute
--- a/third_party/WebKit/Source/WebCore/platform/network/cf/ResourceHandleCFNet.cpp
+++ b/third_party/WebKit/Source/WebCore/platform/network/cf/ResourceHandleCFNet.cpp
@@ -134,9 +134,10 @@ static void setDefaultMIMEType(CFURLResponseRef response)
    CFURLResponseSetMIMEType(response, defaultMIMETypeString);
 }
-static String encodeBasicAuthorization(const String& user, const String& password)
+static void applyBasicAuthorizationHeader(ResourceRequest& request, const Credential& credential)
 {
-    return base64Encode(String(user + ":" + password).utf8());
+    String authenticationHeader = "Basic " + base64Encode(String(credential.user() + ":" + credential.password()).utf8());
+    request.addHTTPHeaderField("Authorization", authenticationHeader);
 }
 static CFURLRequestRef willSendRequest(CFURLConnectionRef conn, CFURLRequestRef cfRequest, CFURLResponseRef cfRedirectResponse, const void* clientInfo)
@@ -471,8 +472,8 @@ void ResourceHandle::createCFURLConnection(bool shouldUseCredentialStorage, bool
    }
    if (!d->m_initialCredential.isEmpty()) {
-        String authHeader = "Basic " + encodeBasicAuthorization(d->m_initialCredential.user(), d->m_initialCredential.password());
+        // FIXME: Support Digest authentication, and Proxy-Authorization.
-        firstRequest().addHTTPHeaderField("Authorization", authHeader);
+        applyBasicAuthorizationHeader(firstRequest(), d->m_initialCredential);
    }
    RetainPtr<CFURLRequestRef> request(AdoptCF, makeFinalRequest(firstRequest(), shouldContentSniff));
@@ -540,8 +541,24 @@ void ResourceHandle::willSendRequest(ResourceRequest& request, const ResourceRes
    d->m_pass = url.pass();
    d->m_lastHTTPMethod = request.httpMethod();
    request.removeCredentials();
-    if (!protocolHostAndPortAreEqual(request.url(), redirectResponse.url()))
+    if (!protocolHostAndPortAreEqual(request.url(), redirectResponse.url())) {
+        // If the network layer carries over authentication headers from the original request
+        // in a cross-origin redirect, we want to clear those headers here.
        request.clearHTTPAuthorization();
+    } else {
+        // Only consider applying authentication credentials if this is actually a redirect and the redirect
+        // URL didn't include credentials of its own.
+        if (d->m_user.isEmpty() && d->m_pass.isEmpty() && !redirectResponse.isNull()) {
+            Credential credential = CredentialStorage::get(request.url());
+            if (!credential.isEmpty()) {
+                d->m_initialCredential = credential;
+                // FIXME: Support Digest authentication, and Proxy-Authorization.
+                applyBasicAuthorizationHeader(request, d->m_initialCredential);
+            }
+        }
+    }
 #if USE(CFURLSTORAGESESSIONS)
     request.setStorageSession(ResourceHandle::currentStorageSession());

--- a/third_party/WebKit/Source/WebCore/platform/network/mac/ResourceHandleMac.mm
+++ b/third_party/WebKit/Source/WebCore/platform/network/mac/ResourceHandleMac.mm
@@ -131,9 +131,10 @@ namespace WebCore {
 static bool isInitializingConnection;
 #endif
-static String encodeBasicAuthorization(const String& user, const String& password)
+static void applyBasicAuthorizationHeader(ResourceRequest& request, const Credential& credential)
 {
-    return base64Encode(String(user + ":" + password).utf8());
+    String authenticationHeader = "Basic " + base64Encode(String(credential.user() + ":" + credential.password()).utf8());
+    request.addHTTPHeaderField("Authorization", authenticationHeader);
 }
 ResourceHandleInternal::~ResourceHandleInternal()
@@ -211,8 +212,7 @@ void ResourceHandle::createNSURLConnection(id delegate, bool shouldUseCredential
    if (!d->m_initialCredential.isEmpty()) {
        // FIXME: Support Digest authentication, and Proxy-Authorization.
-        String authHeader = "Basic " + encodeBasicAuthorization(d->m_initialCredential.user(), d->m_initialCredential.password());
+        applyBasicAuthorizationHeader(firstRequest(), d->m_initialCredential);
-        firstRequest().addHTTPHeaderField("Authorization", authHeader);
    }
    NSURLRequest *nsRequest = firstRequest().nsURLRequest();
@@ -496,8 +496,25 @@ void ResourceHandle::willSendRequest(ResourceRequest& request, const ResourceRes
    d->m_pass = url.pass();
    d->m_lastHTTPMethod = request.httpMethod();
    request.removeCredentials();
-    if (!protocolHostAndPortAreEqual(request.url(), redirectResponse.url()))
+    if (!protocolHostAndPortAreEqual(request.url(), redirectResponse.url())) {
+        // If the network layer carries over authentication headers from the original request
+        // in a cross-origin redirect, we want to clear those headers here.
+        // As of Lion, CFNetwork no longer does this.
        request.clearHTTPAuthorization();
+    } else {
+        // Only consider applying authentication credentials if this is actually a redirect and the redirect
+        // URL didn't include credentials of its own.
+        if (d->m_user.isEmpty() && d->m_pass.isEmpty() && !redirectResponse.isNull()) {
+            Credential credential = CredentialStorage::get(request.url());
+            if (!credential.isEmpty()) {
+                d->m_initialCredential = credential;
+                // FIXME: Support Digest authentication, and Proxy-Authorization.
+                applyBasicAuthorizationHeader(request, d->m_initialCredential);
+            }
+        }
+    }
 #if USE(CFURLSTORAGESESSIONS)
    if (CFURLStorageSessionRef storageSession = privateBrowsingStorageSession())