Are HTTPS basic auth credentials shared with its HTTP counterpart?

Question

Imagine the following scenario:

1. The user goes to http://example.com
2. The server redirects to the secure version https://example.com using a temporary redirect (status 302)
3. https://example.com responds with an HTTP basic auth challenge (status 401)
4. The user successfully provides username/password and access is granted (the browser stores these credentials in its internal cache)

What happens if the user follows a link to the unsecured version of the website (http://example.com)?

Would the credentials be exposed due to the clear-text HTTP request?

Are HTTP credentials and HTTPS credentials stored in separate "buckets" by the browser?

Technically, the two URLs belong to different origins so the credentials should not be shared. But I could not find any confirmation of this online.

Answer 1

Are HTTP credentials and HTTPS credentials stored in separate "buckets" by the browser?

Yes, and those buckets are officially called 'origins'. Specifications like HTML, Javacript, HTTP and URIs talk about origins, but the bucket is effectively the URI minus the path.

So for https://example.org/foo/bar, the origin is https://example.org

So this includes:

• The scheme (http / https).
• The domain
• The port

So in your example the 2 relevant origins / buckets are http://example.com and https://example.com and they are separate.