NTLM Authenentication not working anymore in OutOfBlinkCors

Having problems with building or using CEF's C/C++ APIs? This forum is here to help. Please do not post bug reports or feature requests here.

NTLM Authenentication not working anymore in OutOfBlinkCors

Postby Toralion » Mon Mar 29, 2021 9:48 am

Hi,

I've a problem, uploading a file to a minio (or S3) repo using cef >86 (js, XMLHttpRequest).

When trying to send the preflight (OPTIONS) request I would expect that typically challenge/response ping pong with the proxy.
What happens is that cef sends exactly one request, the proxy answers with a 407 Proxy Authentication Required and that's it. No second try to connect, no authentication granted.

Doing exactly the same, using a Chrome-Browser or a cef, v86, with --disable-features=OutOfBlinkCors works perfectly.
Of course I tried a cef >86 with disabled proxy... works too.

Are there any new security/cors rules, I've to handle? Am I doing something wrong, or is this indeed a bug in cef?

Thx,
Toralion


Here's the request/response showing some details, recorded with Wireshark:

Request:
---------
OPTIONS http://SOMESERVER:9000/210/root/rep01/7 ... 8e55aaa4f7 HTTP/1.1
Host: SOMESERVER:9000
Proxy-Connection: keep-alive
Accept: */*
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: content-md5,content-type,x-csrf-token
Origin: http://SOMESERVER:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Sec-Fetch-Mode: cors
Referer: http://SOMESERVER:8080/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response:
---------
HTTP/1.1 407 Proxy Authentication Required
Server: squid/4.4
Mime-Version: 1.0
Date: Mon, 29 Mar 2021 09:41:41 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 4565
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en-us
Proxy-Authenticate: NTLM
X-Cache: MISS from CentOSNTLMProxy
X-Cache-Lookup: NONE from CentOSNTLMProxy:3128
Via: 1.1 CentOSNTLMProxy (squid/4.4)
Connection: keep-alive
Toralion
Newbie
 
Posts: 3
Joined: Mon Mar 29, 2021 9:16 am

Re: NTLM Authenentication not working anymore in OutOfBlinkC

Postby Toralion » Mon Apr 12, 2021 9:20 am

After a few days trying to debug the code, we 're still not sure what's exactly the problem.

When using a current Chrome browser, after the first 407 response of the proxy, the authentication challenge is started and HttpAuth::HandleChallengeResponse() is called.

If we do the same with the current CEF, we never reach that method or any other source within chromium which is responsible for the NTLM-authentication-challenge.

Digging deeper in the source:

Here's what we found out so far(Please see attached pdf):

We guess that the problem is, that CorsPreflightRequest class is registered as header_client_ within services/network/URLLoader
and therefore URLLoader::OnBeforeStartTransaction() is cancelled
and in the end blocks URLRequestHttpJob::StartTransactionInternal() from being called,
which seems to be relevant for triggering the authentication challenge (transaction_->RestartWithAuth()).

Are we right with that assumptions?

Could it be, that deleting CorsPreflightRequest is missing somewhere, or is it the InterceptedRequest which is working not correctly?


CEF OutOfBlink Impl.pdf
CEF OutOfBlink Impl.pdf
(131.98 KiB) Downloaded 36 times
Toralion
Newbie
 
Posts: 3
Joined: Mon Mar 29, 2021 9:16 am

Re: NTLM Authenentication not working anymore in OutOfBlinkC

Postby magreenblatt » Mon Apr 12, 2021 12:21 pm

You can set |pass_through| to true in ProxyURLLoaderFactory::CreateLoaderAndStart to test if network interception is causing the problem.
magreenblatt
Site Admin
 
Posts: 10858
Joined: Fri May 29, 2009 6:57 pm

Re: NTLM Authenentication not working anymore in OutOfBlinkC

Postby Toralion » Tue Apr 13, 2021 6:56 am

magreenblatt wrote:You can set |pass_through| to true in ProxyURLLoaderFactory::CreateLoaderAndStart to test if network interception is causing the problem.


Hi Marshall,

thx for the fast response. Yes, that does the trick! As soon we set |pass_through| to true, the NTLM authentication works again.

So, to fix that problem for the moment: Do you see any drawbacks / sideeffects if we use CEF with that settings?
We do not need any custom request handling or manipulating in our environment, just simple browser stuff.

Should I create an issue for that problem?

Would it be an idea to make |pass_through| a "real" option?

Thx, for your help,
Toralion
Toralion
Newbie
 
Posts: 3
Joined: Mon Mar 29, 2021 9:16 am

Re: NTLM Authenentication not working anymore in OutOfBlinkC

Postby magreenblatt » Tue Apr 13, 2021 8:38 am

Yes, please create an issue. Making pass_through a real option could be helpful (you can mention it as a workaround in the issue). Thanks.
magreenblatt
Site Admin
 
Posts: 10858
Joined: Fri May 29, 2009 6:57 pm

Re: NTLM Authenentication not working anymore in OutOfBlinkC

Postby magreenblatt » Fri Jun 11, 2021 11:13 am

magreenblatt wrote:Yes, please create an issue. Making pass_through a real option could be helpful (you can mention it as a workaround in the issue). Thanks.

The option has now been added in this commit.
magreenblatt
Site Admin
 
Posts: 10858
Joined: Fri May 29, 2009 6:57 pm


Return to Support Forum

Who is online

Users browsing this forum: Majestic-12 [Bot] and 14 guests