1 files changed, 32 insertions, 13 deletions

diff --git a/WebCore/platform/network/mac/ResourceHandleMac.mm b/WebCore/platform/network/mac/ResourceHandleMac.mm
index ec60079..3630b30 100644
--- a/WebCore/platform/network/mac/ResourceHandleMac.mm
+++ b/WebCore/platform/network/mac/ResourceHandleMac.mm
@@ -119,6 +119,7 @@ public:
     }
 };
 
+#ifndef BUILDING_ON_TIGER
 static String encodeBasicAuthorization(const String& user, const String& password)
 {
     CString unencodedString = (user + ":" + password).utf8();
@@ -128,6 +129,7 @@ static String encodeBasicAuthorization(const String& user, const String& passwor
     base64Encode(unencoded, encoded);
     return String(encoded.data(), encoded.size());
 }
+#endif
 
 ResourceHandleInternal::~ResourceHandleInternal()
 {
@@ -175,23 +177,38 @@ bool ResourceHandle::start(Frame* frame)
     } else 
         delegate = ResourceHandle::delegate();
 
-    if ((!d->m_user.isEmpty() || !d->m_pass.isEmpty()) && !d->m_request.url().protocolInHTTPFamily()) {
+    if ((!d->m_user.isEmpty() || !d->m_pass.isEmpty())
+#ifndef BUILDING_ON_TIGER
+     && !d->m_request.url().protocolInHTTPFamily() // On Tiger, always pass credentials in URL, so that they get stored even if the request gets cancelled right away.
+#endif
+    ) {
         // Credentials for ftp can only be passed in URL, the connection:didReceiveAuthenticationChallenge: delegate call won't be made.
         KURL urlWithCredentials(d->m_request.url());
         urlWithCredentials.setUser(d->m_user);
         urlWithCredentials.setPass(d->m_pass);
         d->m_request.setURL(urlWithCredentials);
     }
-    
-    // <rdar://problem/7174050> - For URLs that match the paths of those previously challenged for HTTP Basic authentication, 
-    // try and reuse the credential preemptively, as allowed by RFC 2617.
-    if (!client() || client()->shouldUseCredentialStorage(this) && d->m_request.url().protocolInHTTPFamily())
-        d->m_initialCredential = CredentialStorage::getDefaultAuthenticationCredential(d->m_request.url());
+
+#ifndef BUILDING_ON_TIGER
+    if ((!client() || client()->shouldUseCredentialStorage(this)) && d->m_request.url().protocolInHTTPFamily()) {
+        if (d->m_user.isEmpty() && d->m_pass.isEmpty()) {
+            // <rdar://problem/7174050> - For URLs that match the paths of those previously challenged for HTTP Basic authentication, 
+            // try and reuse the credential preemptively, as allowed by RFC 2617.
+            d->m_initialCredential = CredentialStorage::get(d->m_request.url());
+        } else {
+            // If there is already a protection space known for the URL, update stored credentials before sending a request.
+            // This makes it possible to implement logout by sending an XMLHttpRequest with known incorrect credentials, and aborting it immediately
+            // (so that an authentication dialog doesn't pop up).
+            CredentialStorage::set(Credential(d->m_user, d->m_pass, CredentialPersistenceNone), d->m_request.url());
+        }
+    }
         
     if (!d->m_initialCredential.isEmpty()) {
+        // FIXME: Support Digest authentication, and Proxy-Authorization.
         String authHeader = "Basic " + encodeBasicAuthorization(d->m_initialCredential.user(), d->m_initialCredential.password());
         d->m_request.addHTTPHeaderField("Authorization", authHeader);
     }
+#endif
 
     if (!ResourceHandle::didSendBodyDataDelegateExists())
         associateStreamWithResourceHandle([d->m_request.nsURLRequest() HTTPBodyStream], this);
@@ -471,7 +488,7 @@ void ResourceHandle::didReceiveAuthenticationChallenge(const AuthenticationChall
     if (!d->m_user.isNull() && !d->m_pass.isNull()) {
         NSURLCredential *credential = [[NSURLCredential alloc] initWithUser:d->m_user
                                                                    password:d->m_pass
-                                                                persistence:NSURLCredentialPersistenceNone];
+                                                                persistence:NSURLCredentialPersistenceForSession];
         d->m_currentMacChallenge = challenge.nsURLAuthenticationChallenge();
         d->m_currentWebChallenge = challenge;
         receivedCredential(challenge, core(credential));
@@ -482,6 +499,7 @@ void ResourceHandle::didReceiveAuthenticationChallenge(const AuthenticationChall
         return;
     }
 
+#ifndef BUILDING_ON_TIGER
     if (!challenge.previousFailureCount() && (!client() || client()->shouldUseCredentialStorage(this))) {
         Credential credential = CredentialStorage::get(challenge.protectionSpace());
         if (!credential.isEmpty() && credential != d->m_initialCredential) {
@@ -490,6 +508,7 @@ void ResourceHandle::didReceiveAuthenticationChallenge(const AuthenticationChall
             return;
         }
     }
+#endif
 
     d->m_currentMacChallenge = challenge.nsURLAuthenticationChallenge();
     NSURLAuthenticationChallenge *webChallenge = [[NSURLAuthenticationChallenge alloc] initWithAuthenticationChallenge:d->m_currentMacChallenge 
@@ -521,11 +540,6 @@ void ResourceHandle::receivedCredential(const AuthenticationChallenge& challenge
     if (credential.persistence() == CredentialPersistenceNone) {
         // NSURLCredentialPersistenceNone doesn't work on Tiger, so we have to use session persistence.
         Credential webCredential(credential.user(), credential.password(), CredentialPersistenceForSession);
-        KURL urlToStore;
-        if (challenge.failureResponse().httpStatusCode() == 401)
-            urlToStore = d->m_request.url();
-        CredentialStorage::set(webCredential, core([d->m_currentMacChallenge protectionSpace]), urlToStore);
-        
         [[d->m_currentMacChallenge sender] useCredential:mac(webCredential) forAuthenticationChallenge:d->m_currentMacChallenge];
     } else
 #else
@@ -620,6 +634,11 @@ void ResourceHandle::receivedCancellation(const AuthenticationChallenge& challen
 
     CallbackGuard guard;
     ResourceRequest request = newRequest;
+
+    // Should not set Referer after a redirect from a secure resource to non-secure one.
+    if (!request.url().protocolIs("https") && protocolIs(request.httpReferrer(), "https"))
+        request.clearHTTPReferrer();
+
     m_handle->willSendRequest(request, redirectResponse);
 
     if (!ResourceHandle::didSendBodyDataDelegateExists()) {
@@ -1055,7 +1074,7 @@ void ResourceHandle::receivedCancellation(const AuthenticationChallenge& challen
         // try and reuse the credential preemptively, as allowed by RFC 2617.
         ResourceRequest requestWithInitialCredentials = request;
         if (allowStoredCredentials && url.protocolInHTTPFamily())
-            delegate->m_initialCredential = CredentialStorage::getDefaultAuthenticationCredential(url);
+            delegate->m_initialCredential = CredentialStorage::get(url);
             
         if (!delegate->m_initialCredential.isEmpty()) {
             String authHeader = "Basic " + encodeBasicAuthorization(delegate->m_initialCredential.user(), delegate->m_initialCredential.password());