Our website provides hyperlinks to third-party software which requests basic authentication. Previously a user would click the link, they would be taken to the new URL, and an authentication prompt would be shown. On the recent update Safari no longer prompts for authentication, and users are given a 401 Unauthorised error immediately. If you reload the page, it will prompt. Pasting the URL directly into the address bar works correctly.
This is not due to caching or cookies. I can confirm it was working fine in macOS Safari 11.0.1 and is broken in 11.0.2. Chrome does not exhibit this behaviour. I have also confirmed the same issue affecting iOS Safari, but I have not isolated versions.
Loading a test page from my local HDD does not give the same problem, but when hosted via IIS (on our web server or on my development machine) it fails every time. An example page is hosted here:
It links to a test authentication server here (this test server does not display a 401 error, but it still should show the authentication dialog):
Has anyone seen this before, or found a solution? I'm also reporting this to Apple but since I'm not an Apple Developer I expect it to get lost in the noise.
A user on the Apple Communities forum post I made has said this is a design decision by Apple, but I have yet to get any more information (or confirmation) on this. However the evidence seems to corroborate his information: the error only occurs when linking from an HTTPS site to an HTTP site.
I have also reported this via the Apple Bug Reporter tool. My first report has mysteriously disappeared. I have re-logged, but have also heard many accounts of bug reports never being responded to. If anyone here has a reliable reference that this is an intentional change, that would be great. Otherwise I still consider it a bug.