171566 2017-05-02 13:37:48 -0700 crossorigin="anonymous" resource loads are anonymous even for same-origin 2020-05-20 13:18:16 -0700 1 1 1 Unclassified WebKit Page Loading WebKit Nightly Build Unspecified Unspecified RESOLVED DUPLICATE 210326 https://bugs.webkit.org/show_bug.cgi?id=171550 InRadar P2 Normal --- 1 ptoomey3 dbates achristensen beidson buildbot cdumez dbates dpaddock hallo japhet kj.kim ljharb ptoomey3 sean webkit-bug-importer wilander youennf ysuzuki oldest_to_newest 1303784 0 ptoomey3 2017-05-02 13:37:48 -0700 A group of colleagues of mine noticed that a session cookie was not being sent with a script request that looked something like this: <script src="./anonymous.js" crossorigin="anonymous"></script> It looks as though Safari treats any resource request with the crossorigin="anonymous" attribute as anonymous. But, this is only meant to apply for cross-origin requests. I setup a temporary PoC test page (the contents can be seen below) that can be viewed on Heroku (https://infinite-bayou-16019.herokuapp.com). The two endpoints reflect back a JS response based on whether a cookie is sent along with the JS fetch. Chrome and Firefox send cookies for both fetches, while Safari only sends it on the non-anonymous fetch. <html> <head> <script src="./non_anonymous.js"></script> <script src="./anonymous.js" crossorigin="anonymous"></script> </head> <body> <h1>Echo some cookies!</h1> </body> </html> 1304414 1 youennf 2017-05-03 17:21:16 -0700 Thanks for filing this bug. We should set credential mode to same-origin in that case, which I believe would do what you are suggesting. Will try to look at it further. Are you seeing that for other resource types? 1304515 2 309016 youennf 2017-05-03 22:04:41 -0700 Created attachment 309016 Patch 1419334 3 webkit-bug-importer 2018-05-01 10:11:52 -0700 <rdar://problem/39869363> 1654383 4 hallo 2020-05-20 04:44:49 -0700 Three years later and it's still grinding my gears 1654390 5 youennf 2020-05-20 05:50:28 -0700 @Christian Haller, I believe we have fixed this issue. Testing https://infinite-bayou-16019.herokuapp.com/, it seems to work. From code inspection, we are now correctly setting FetchOptions::Credentials::SameOrigin for anonymous loads. Would you be able to provide a jsfiddle with your issue? I'll close this bug for now. Please reopen it if you think this issue is not solved or create a new bug if this is actually a different issue. 1654552 6 ysuzuki 2020-05-20 11:38:42 -0700 Yes, this is fixed in https://trac.webkit.org/changeset/260038/webkit, and in STP 105 https://webkit.org/blog/10428/release-notes-for-safari-technology-preview-105/ *** This bug has been marked as a duplicate of bug 210326 *** 1654607 7 hallo 2020-05-20 13:18:16 -0700 Nice, it works in Safari Technology Preview 106 👍🏻😍 309016 2017-05-03 22:04:41 -0700 2020-05-20 05:51:19 -0700 Patch bug-171566-20170503220441.patch text/plain 5479 youennf U3VidmVyc2lvbiBSZXZpc2lvbjogMjE2MTE3CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggYTI3ZDA1YmU2OWJkNWJh MjVjNTI1ZDI2YjU0NjI4NmExZWUwMTc5ZS4uYjI5MjZlMmNiNmRlN2QxN2YxMTg2Y2E2MmUyMmVk YjllM2IxMGFlOCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDIzIEBACisyMDE3LTA1LTAzICBZb3Vl bm4gRmFibGV0ICA8eW91ZW5uQGFwcGxlLmNvbT4KKworICAgICAgICBjcm9zc29yaWdpbj0iYW5v bnltb3VzIiByZXNvdXJjZSBsb2FkcyBhcmUgYW5vbnltb3VzIGV2ZW4gZm9yIHNhbWUtb3JpZ2lu CisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xNzE1NjYK KworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBXSVAsIHdp bGwgYmUgY292ZXJlZCBieSB0ZXN0cy4KKworICAgICAgICBSZXNvdXJjZUxvYWRlck9wdGlvbnMu YWxsb3dDcmVkZW50aWFscyBzaG91bGQgYmUgZGVwcmVjYXRlZCBhbmQgcmVwbGFjaW5nIGJ5IHNv bWUgbG9naWMgaW50ZXJuYWwgdG8gdGhlIGxvYWRlciBjb2RlLgorICAgICAgICBUaGlzIHBhdGNo IG5vdyBjb21wdXRlcyBSZXNvdXJjZUxvYWRlck9wdGlvbnMuYWxsb3dDcmVkZW50aWFscyBiYXNl ZCBvbiBGZXRjaE9wdGlvbnM6OkNyZWRlbnRpYWxzIG9wdGlvbiB2YWx1ZS4KKworICAgICAgICAq IGxvYWRlci9SZXNvdXJjZUxvYWRlck9wdGlvbnMuaDoKKyAgICAgICAgKiBsb2FkZXIvU3VicmVz b3VyY2VMb2FkZXIuY3BwOgorICAgICAgICAoV2ViQ29yZTo6U3VicmVzb3VyY2VMb2FkZXI6OmNo ZWNrUmVkaXJlY3Rpb25Dcm9zc09yaWdpbkFjY2Vzc0NvbnRyb2wpOgorICAgICAgICAqIGxvYWRl ci9jYWNoZS9DYWNoZWRSZXNvdXJjZVJlcXVlc3QuY3BwOgorICAgICAgICAoV2ViQ29yZTo6Q2Fj aGVkUmVzb3VyY2VSZXF1ZXN0OjpzZXRBc1BvdGVudGlhbGx5Q3Jvc3NPcmlnaW4pOgorICAgICAg ICAqIHN0eWxlL1N0eWxlUGVuZGluZ1Jlc291cmNlcy5jcHA6CisgICAgICAgIChXZWJDb3JlOjpT dHlsZTo6bG9hZFBlbmRpbmdJbWFnZSk6CisKIDIwMTctMDUtMDMgIEFudHRpIEtvaXZpc3RvICA8 YW50dGlAYXBwbGUuY29tPgogCiAgICAgICAgIFJlbmFtZSBTdHlsZUludmFsaWRhdGlvbkFuYWx5 c2lzIHRvIFN0eWxlOjpJbnZhbGlkYXRvcgpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvbG9h ZGVyL1Jlc291cmNlTG9hZGVyT3B0aW9ucy5oIGIvU291cmNlL1dlYkNvcmUvbG9hZGVyL1Jlc291 cmNlTG9hZGVyT3B0aW9ucy5oCmluZGV4IGI5M2JjYjY4ZjMwYmU2MjQxNDk4MTIwNmIwN2JjNTVh NTY5MDg4OGYuLjRiMzAwMzVkYmFhZDIwNzI5YWQwMmY2MWU2ZTA5MzViZWZhZmI2NTcgMTAwNjQ0 Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL2xvYWRlci9SZXNvdXJjZUxvYWRlck9wdGlvbnMuaAorKysg Yi9Tb3VyY2UvV2ViQ29yZS9sb2FkZXIvUmVzb3VyY2VMb2FkZXJPcHRpb25zLmgKQEAgLTExNiw2 ICsxMTYsNyBAQCBzdHJ1Y3QgUmVzb3VyY2VMb2FkZXJPcHRpb25zIDogcHVibGljIEZldGNoT3B0 aW9ucyB7CiAgICAgU2VuZENhbGxiYWNrUG9saWN5IHNlbmRMb2FkQ2FsbGJhY2tzIHsgRG9Ob3RT ZW5kQ2FsbGJhY2tzIH07CiAgICAgQ29udGVudFNuaWZmaW5nUG9saWN5IHNuaWZmQ29udGVudCB7 IERvTm90U25pZmZDb250ZW50IH07CiAgICAgRGF0YUJ1ZmZlcmluZ1BvbGljeSBkYXRhQnVmZmVy aW5nUG9saWN5IHsgQnVmZmVyRGF0YSB9OworICAgIC8vIEZJWE1FOiBSZW1vdmUgdGhhdCBvcHRp b24gYXMgbG9hZGVyIGNsaWVudHMgc2hvdWxkIHNldCBpdCB0aHJvdWdoIEZldGNoT3B0aW9ucyBp bnN0ZWFkLgogICAgIFN0b3JlZENyZWRlbnRpYWxzIGFsbG93Q3JlZGVudGlhbHMgeyBEb05vdEFs bG93U3RvcmVkQ3JlZGVudGlhbHMgfTsKICAgICBTZWN1cml0eUNoZWNrUG9saWN5IHNlY3VyaXR5 Q2hlY2sgeyBEb1NlY3VyaXR5Q2hlY2sgfTsKICAgICBDZXJ0aWZpY2F0ZUluZm9Qb2xpY3kgY2Vy dGlmaWNhdGVJbmZvUG9saWN5IHsgRG9Ob3RJbmNsdWRlQ2VydGlmaWNhdGVJbmZvIH07CmRpZmYg LS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9sb2FkZXIvU3VicmVzb3VyY2VMb2FkZXIuY3BwIGIvU291 cmNlL1dlYkNvcmUvbG9hZGVyL1N1YnJlc291cmNlTG9hZGVyLmNwcAppbmRleCA3N2IxMjExMTdm MzBkZjVjNjE4OGEzNGViYWUyMGZkOGIzNWJlYjViLi5iZDg0NDdkZmNiNzAwYzAxY2ZmNTlkYjQ2 N2FiMGM4N2Y2M2I0N2FhIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9sb2FkZXIvU3VicmVz b3VyY2VMb2FkZXIuY3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL2xvYWRlci9TdWJyZXNvdXJjZUxv YWRlci5jcHAKQEAgLTQ4Miw4ICs0ODIsMTQgQEAgYm9vbCBTdWJyZXNvdXJjZUxvYWRlcjo6Y2hl Y2tSZWRpcmVjdGlvbkNyb3NzT3JpZ2luQWNjZXNzQ29udHJvbChjb25zdCBSZXNvdXJjZVIKICAg ICBib29sIGNyb3NzT3JpZ2luRmxhZyA9IG1fcmVzb3VyY2UtPmlzQ3Jvc3NPcmlnaW4oKTsKICAg ICBib29sIGlzTmV4dFJlcXVlc3RDcm9zc09yaWdpbiA9IG1fb3JpZ2luICYmICFtX29yaWdpbi0+ Y2FuUmVxdWVzdChuZXdSZXF1ZXN0LnVybCgpKTsKIAotICAgIGlmIChpc05leHRSZXF1ZXN0Q3Jv c3NPcmlnaW4pCisgICAgaWYgKGlzTmV4dFJlcXVlc3RDcm9zc09yaWdpbikgeworICAgICAgICBp ZiAobV9vcHRpb25zLmFsbG93Q3JlZGVudGlhbHMgPT0gQWxsb3dTdG9yZWRDcmVkZW50aWFscyAm JiBtX29wdGlvbnMuY3JlZGVudGlhbHMgPT0gRmV0Y2hPcHRpb25zOjpDcmVkZW50aWFsczo6U2Ft ZU9yaWdpbikgeworICAgICAgICAgICAgbV9vcHRpb25zLmFsbG93Q3JlZGVudGlhbHMgPSBEb05v dEFsbG93U3RvcmVkQ3JlZGVudGlhbHM7CisgICAgICAgICAgICBuZXdSZXF1ZXN0LnJlbW92ZUNy ZWRlbnRpYWxzKCk7CisgICAgICAgICAgICBuZXdSZXF1ZXN0LnNldEFsbG93Q29va2llcyhmYWxz ZSk7CisgICAgICAgIH0KICAgICAgICAgbV9yZXNvdXJjZS0+c2V0Q3Jvc3NPcmlnaW4oKTsKKyAg ICB9CiAKICAgICBBU1NFUlQob3B0aW9ucygpLm1vZGUgIT0gRmV0Y2hPcHRpb25zOjpNb2RlOjpT YW1lT3JpZ2luIHx8ICFtX3Jlc291cmNlLT5pc0Nyb3NzT3JpZ2luKCkpOwogCmRpZmYgLS1naXQg YS9Tb3VyY2UvV2ViQ29yZS9sb2FkZXIvY2FjaGUvQ2FjaGVkUmVzb3VyY2VSZXF1ZXN0LmNwcCBi L1NvdXJjZS9XZWJDb3JlL2xvYWRlci9jYWNoZS9DYWNoZWRSZXNvdXJjZVJlcXVlc3QuY3BwCmlu ZGV4IGY4NmQzNjViYjdhMTA0MGNkMjMyOWU5NmUxYzRkNjFhYjMwYmUxMWYuLjhjOWZmOTRhMTNm MWI1Nzk2YzJiNzYxMGU2MDM0NWEyNDQyODEwMGUgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3Jl L2xvYWRlci9jYWNoZS9DYWNoZWRSZXNvdXJjZVJlcXVlc3QuY3BwCisrKyBiL1NvdXJjZS9XZWJD b3JlL2xvYWRlci9jYWNoZS9DYWNoZWRSZXNvdXJjZVJlcXVlc3QuY3BwCkBAIC05OSw3ICs5OSwx NyBAQCB2b2lkIENhY2hlZFJlc291cmNlUmVxdWVzdDo6c2V0QXNQb3RlbnRpYWxseUNyb3NzT3Jp Z2luKGNvbnN0IFN0cmluZyYgbW9kZSwgRG9jdQogICAgICAgICA/IEZldGNoT3B0aW9uczo6Q3Jl ZGVudGlhbHM6Ok9taXQgOiBlcXVhbExldHRlcnNJZ25vcmluZ0FTQ0lJQ2FzZShtb2RlLCAidXNl LWNyZWRlbnRpYWxzIikKICAgICAgICAgPyBGZXRjaE9wdGlvbnM6OkNyZWRlbnRpYWxzOjpJbmNs dWRlIDogRmV0Y2hPcHRpb25zOjpDcmVkZW50aWFsczo6U2FtZU9yaWdpbjsKICAgICBtX29wdGlv bnMuY3JlZGVudGlhbHMgPSBjcmVkZW50aWFsczsKLSAgICBtX29wdGlvbnMuYWxsb3dDcmVkZW50 aWFscyA9IGNyZWRlbnRpYWxzID09IEZldGNoT3B0aW9uczo6Q3JlZGVudGlhbHM6OkluY2x1ZGUg PyBBbGxvd1N0b3JlZENyZWRlbnRpYWxzIDogRG9Ob3RBbGxvd1N0b3JlZENyZWRlbnRpYWxzOwor ICAgIHN3aXRjaCAoY3JlZGVudGlhbHMpIHsKKyAgICBjYXNlIEZldGNoT3B0aW9uczo6Q3JlZGVu dGlhbHM6OkluY2x1ZGU6CisgICAgICAgIG1fb3B0aW9ucy5hbGxvd0NyZWRlbnRpYWxzID0gQWxs b3dTdG9yZWRDcmVkZW50aWFsczsKKyAgICAgICAgYnJlYWs7CisgICAgY2FzZSBGZXRjaE9wdGlv bnM6OkNyZWRlbnRpYWxzOjpPbWl0OgorICAgICAgICBtX29wdGlvbnMuYWxsb3dDcmVkZW50aWFs cyA9IERvTm90QWxsb3dTdG9yZWRDcmVkZW50aWFsczsKKyAgICAgICAgYnJlYWs7CisgICAgY2Fz ZSBGZXRjaE9wdGlvbnM6OkNyZWRlbnRpYWxzOjpJbmNsdWRlOgorICAgICAgICBtX29wdGlvbnMu YWxsb3dDcmVkZW50aWFscyA9IGlzUmVxdWVzdENyb3NzT3JpZ2luKG1fb3JpZ2luLCBtX3Jlc291 cmNlUmVxdWVzdC51cmwoKSwgbV9vcHRpb25zKSA/IERvTm90QWxsb3dTdG9yZWRDcmVkZW50aWFs cyA6IEFsbG93U3RvcmVkQ3JlZGVudGlhbHM7CisgICAgICAgIGJyZWFrOworICAgIH0KICAgICBX ZWJDb3JlOjp1cGRhdGVSZXF1ZXN0Rm9yQWNjZXNzQ29udHJvbChtX3Jlc291cmNlUmVxdWVzdCwg ZG9jdW1lbnQuc2VjdXJpdHlPcmlnaW4oKSwgbV9vcHRpb25zLmFsbG93Q3JlZGVudGlhbHMpOwog fQogCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9zdHlsZS9TdHlsZVBlbmRpbmdSZXNvdXJj ZXMuY3BwIGIvU291cmNlL1dlYkNvcmUvc3R5bGUvU3R5bGVQZW5kaW5nUmVzb3VyY2VzLmNwcApp bmRleCAxMDMxOWY4MjNlZDAzMTRiMmViMzgyNTg5MGJlYzM1NzA3MDMxNWVkLi5kMDQ1YzhhNDM2 YzdkNGU5MDA5MTVkZThjMGMzN2YyZTVhNzI0ZDlmIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29y ZS9zdHlsZS9TdHlsZVBlbmRpbmdSZXNvdXJjZXMuY3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL3N0 eWxlL1N0eWxlUGVuZGluZ1Jlc291cmNlcy5jcHAKQEAgLTUzLDcgKzUzLDcgQEAgc3RhdGljIHZv aWQgbG9hZFBlbmRpbmdJbWFnZShEb2N1bWVudCYgZG9jdW1lbnQsIGNvbnN0IFN0eWxlSW1hZ2Uq IHN0eWxlSW1hZ2UsIGMKICAgICAvLyBGSVhNRTogV2h5IGRvZXMgc2hhcGUtb3V0c2lkZSBoYXZl IGRpZmZlcmVudCBwb2xpY3kgdGhhbiBvdGhlciBwcm9wZXJ0aWVzPwogICAgIGlmIChsb2FkUG9s aWN5ID09IExvYWRQb2xpY3k6OlNoYXBlT3V0c2lkZSkgewogICAgICAgICBvcHRpb25zLm1vZGUg PSBGZXRjaE9wdGlvbnM6Ok1vZGU6OkNvcnM7Ci0gICAgICAgIG9wdGlvbnMuYWxsb3dDcmVkZW50 aWFscyA9IERvTm90QWxsb3dTdG9yZWRDcmVkZW50aWFsczsKKyAgICAgICAgb3B0aW9ucy5jcmVk ZW50aWFscyA9IEZldGNoT3B0aW9uczo6Q3JlZGVudGlhbHM6Ok9taXQ7CiAgICAgICAgIG9wdGlv bnMuc2FtZU9yaWdpbkRhdGFVUkxGbGFnID0gU2FtZU9yaWdpbkRhdGFVUkxGbGFnOjpTZXQ7CiAg ICAgfQogCg==