239119 2022-04-12 02:35:15 -0700 <link rel=preconnect> always sends credentials to different-origin, ignoring crossorigin=anonymous 2022-04-27 03:37:21 -0700 1 1 1 Unclassified WebKit Page Loading WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 noam youennf achristensen beidson cdumez ews-watchlist japhet webkit-bug-importer wilander yoav youennf oldest_to_newest 1860629 0 noam 2022-04-12 02:35:15 -0700 Given <link rel=preconnect href="https://some-other-origin" crossorigin=anonymous> I believe from reading the code that the "anonymous" bit would be ignored: Looking at Source/WebCore/loader/LinkLoader.cpp, line 217: if (equalIgnoringASCIICase(params.crossOrigin, "anonymous") && document.securityOrigin().isSameOriginDomain(SecurityOrigin::create(href))) storageCredentialsPolicy = StoredCredentialsPolicy::DoNotUse; If I understand this line correctly, it would mean something like: useCredentials = link.crossorigin != 'anonymous' || !same_origin(link.href, document.origin) So any preconnect to a different-origin href would send credentials :( https://github.com/WebKit/WebKit/blob/8a5b17627ecd1a551b59978434f64378b4943bc7/Source/WebCore/loader/LinkLoader.cpp#L217 (It's a bit difficult to WPT this or show how this is ...) 1860774 1 webkit-bug-importer 2022-04-12 12:48:46 -0700 <rdar://problem/91643534> 1864415 2 458352 youennf 2022-04-26 05:02:33 -0700 Created attachment 458352 Patch 1864451 3 458352 wilander 2022-04-26 08:13:30 -0700 Comment on attachment 458352 Patch r=me 1864735 4 ews-feeder 2022-04-26 23:49:35 -0700 Tools/Scripts/svn-apply failed to apply attachment 458352 to trunk. Please resolve the conflicts and upload a new patch. 1864746 5 458427 youennf 2022-04-27 00:46:30 -0700 Created attachment 458427 Patch for landing 1864765 6 ews-feeder 2022-04-27 03:37:17 -0700 Committed r293503 (250034@main): <https://commits.webkit.org/250034@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 458427. 458352 2022-04-26 05:02:33 -0700 2022-04-27 00:46:25 -0700 Patch bug-239119-20220426140231.patch text/plain 2177 youennf U3VidmVyc2lvbiBSZXZpc2lvbjogMjkzNDIyCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggMGIzYmU4ODg2N2EzOWFk OTcxMzUwNzA1OTM4YmFkNjRlZTBhNjhhNi4uYTk2YjkyOTdkNzE4YzkyODRhZWU1ZjA4NjZmMjU5 NmQ1OWUyZjcyYyAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE5IEBACisyMDIyLTA0LTI2ICBZb3Vl bm4gRmFibGV0ICA8eW91ZW5uQGFwcGxlLmNvbT4KKworICAgICAgICA8bGluayByZWw9cHJlY29u bmVjdD4gYWx3YXlzIHNlbmRzIGNyZWRlbnRpYWxzIHRvIGRpZmZlcmVudC1vcmlnaW4sIGlnbm9y aW5nIGNyb3Nzb3JpZ2luPWFub255bW91cworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9y Zy9zaG93X2J1Zy5jZ2k/aWQ9MjM5MTE5CisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS85MTY0MzUz ND4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBVcGRh dGUgdGhlIGNoZWNrIGFzIHBlciBzcGVjLCBzdGVwIDUgb2YKKyAgICAgICAgaHR0cHM6Ly9odG1s LnNwZWMud2hhdHdnLm9yZy9tdWx0aXBhZ2UvbGlua3MuaHRtbCNsaW5rLXR5cGUtcHJlY29ubmVj dAorCisgICAgICAgIFRoaXMgaXMgZGlmZmljdWx0IHRvIHRlc3QgYXMgcHJlY29ubmVjdCBjYW4g b25seSBleHBvc2UgVExTIGNyZWRlbnRpYWxzLgorCisgICAgICAgICogbG9hZGVyL0xpbmtMb2Fk ZXIuY3BwOgorICAgICAgICAoV2ViQ29yZTo6TGlua0xvYWRlcjo6cHJlY29ubmVjdElmTmVlZGVk KToKKwogMjAyMi0wNC0yNiAgWW91ZW5uIEZhYmxldCAgPHlvdWVubkBhcHBsZS5jb20+CiAKICAg ICAgICAgU2hhcmVkIHdvcmtlcnMgc2hvdWxkIG1hdGNoIHNlcnZpY2Ugd29ya2VyIHJlZ2lzdHJh dGlvbnMKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL2xvYWRlci9MaW5rTG9hZGVyLmNwcCBi L1NvdXJjZS9XZWJDb3JlL2xvYWRlci9MaW5rTG9hZGVyLmNwcAppbmRleCBiODk1YjQxNThmMTFl NjdjZGQzNWMxNjg2NjU4NmMzZjFhNjU5MzVkLi5iY2U5Yzg0YTJlOWE3NGFjMDk3OTg3ZmJhMTVi MDlkNWQ5MTU2MjlmIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9sb2FkZXIvTGlua0xvYWRl ci5jcHAKKysrIGIvU291cmNlL1dlYkNvcmUvbG9hZGVyL0xpbmtMb2FkZXIuY3BwCkBAIC0yMTQs NyArMjE0LDcgQEAgdm9pZCBMaW5rTG9hZGVyOjpwcmVjb25uZWN0SWZOZWVkZWQoY29uc3QgTGlu a0xvYWRQYXJhbWV0ZXJzJiBwYXJhbXMsIERvY3VtZW50JgogICAgICAgICByZXR1cm47CiAgICAg QVNTRVJUKGRvY3VtZW50LnNldHRpbmdzKCkubGlua1ByZWNvbm5lY3RFbmFibGVkKCkpOwogICAg IFN0b3JlZENyZWRlbnRpYWxzUG9saWN5IHN0b3JhZ2VDcmVkZW50aWFsc1BvbGljeSA9IFN0b3Jl ZENyZWRlbnRpYWxzUG9saWN5OjpVc2U7Ci0gICAgaWYgKGVxdWFsTGV0dGVyc0lnbm9yaW5nQVND SUlDYXNlKHBhcmFtcy5jcm9zc09yaWdpbiwgImFub255bW91cyIpICYmIGRvY3VtZW50LnNlY3Vy aXR5T3JpZ2luKCkuaXNTYW1lT3JpZ2luRG9tYWluKFNlY3VyaXR5T3JpZ2luOjpjcmVhdGUoaHJl ZikpKQorICAgIGlmIChlcXVhbExldHRlcnNJZ25vcmluZ0FTQ0lJQ2FzZShwYXJhbXMuY3Jvc3NP cmlnaW4sICJhbm9ueW1vdXMiKSAmJiAhZG9jdW1lbnQuc2VjdXJpdHlPcmlnaW4oKS5pc1NhbWVP cmlnaW5Eb21haW4oU2VjdXJpdHlPcmlnaW46OmNyZWF0ZShocmVmKSkpCiAgICAgICAgIHN0b3Jh Z2VDcmVkZW50aWFsc1BvbGljeSA9IFN0b3JlZENyZWRlbnRpYWxzUG9saWN5OjpEb05vdFVzZTsK ICAgICBBU1NFUlQoZG9jdW1lbnQuZnJhbWUoKS0+bG9hZGVyKCkubmV0d29ya2luZ0NvbnRleHQo KSk7CiAgICAgcGxhdGZvcm1TdHJhdGVnaWVzKCktPmxvYWRlclN0cmF0ZWd5KCktPnByZWNvbm5l Y3RUbyhkb2N1bWVudC5mcmFtZSgpLT5sb2FkZXIoKSwgaHJlZiwgc3RvcmFnZUNyZWRlbnRpYWxz UG9saWN5LCBMb2FkZXJTdHJhdGVneTo6U2hvdWxkUHJlY29ubmVjdEFzRmlyc3RQYXJ0eTo6Tm8s IFt3ZWFrRG9jdW1lbnQgPSBXZWFrUHRyIHsgZG9jdW1lbnQgfSwgaHJlZl0oUmVzb3VyY2VFcnJv ciBlcnJvcikgewo= 458427 2022-04-27 00:46:30 -0700 2022-04-27 03:37:19 -0700 Patch for landing bug-239119-20220427094628.patch text/plain 2183 youennf U3VidmVyc2lvbiBSZXZpc2lvbjogMjkzNDk4CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggY2M0ZjhhZDU3NDljYzli NTAyM2E4ZmVjZTAyYzc3MGIxMTA4YTBlYi4uMjAyZWFlNzg1MjUzN2FjMDY2ZTZmOTY0OWVhYmY5 Mzc5ZDc0MzZhMyAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE5IEBACisyMDIyLTA0LTI3ICBZb3Vl bm4gRmFibGV0ICA8eW91ZW5uQGFwcGxlLmNvbT4KKworICAgICAgICA8bGluayByZWw9cHJlY29u bmVjdD4gYWx3YXlzIHNlbmRzIGNyZWRlbnRpYWxzIHRvIGRpZmZlcmVudC1vcmlnaW4sIGlnbm9y aW5nIGNyb3Nzb3JpZ2luPWFub255bW91cworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9y Zy9zaG93X2J1Zy5jZ2k/aWQ9MjM5MTE5CisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS85MTY0MzUz ND4KKworICAgICAgICBSZXZpZXdlZCBieSBKb2huIFdpbGFuZGVyLgorCisgICAgICAgIFVwZGF0 ZSB0aGUgY2hlY2sgYXMgcGVyIHNwZWMsIHN0ZXAgNSBvZgorICAgICAgICBodHRwczovL2h0bWwu c3BlYy53aGF0d2cub3JnL211bHRpcGFnZS9saW5rcy5odG1sI2xpbmstdHlwZS1wcmVjb25uZWN0 CisKKyAgICAgICAgVGhpcyBpcyBkaWZmaWN1bHQgdG8gdGVzdCBhcyBwcmVjb25uZWN0IGNhbiBv bmx5IGV4cG9zZSBUTFMgY3JlZGVudGlhbHMuCisKKyAgICAgICAgKiBsb2FkZXIvTGlua0xvYWRl ci5jcHA6CisgICAgICAgIChXZWJDb3JlOjpMaW5rTG9hZGVyOjpwcmVjb25uZWN0SWZOZWVkZWQp OgorCiAyMDIyLTA0LTI2ICBBbnR0aSBLb2l2aXN0byAgPGFudHRpQGFwcGxlLmNvbT4KIAogICAg ICAgICA6OmZpcnN0LWxldHRlciBkb2VzIG5vdCB3b3JrIGlmIHVzZWQgb25seSBpbiBzaGFkb3cg Y29udGVudApkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvbG9hZGVyL0xpbmtMb2FkZXIuY3Bw IGIvU291cmNlL1dlYkNvcmUvbG9hZGVyL0xpbmtMb2FkZXIuY3BwCmluZGV4IDk2NDU4OGMwYzFl ZDQyOGNjY2M2NDBiNWE4NTA0ZjhlMjI5MmZmMDQuLjFiNGYyNWExNGMxMDU0MjBjZDYwNWIyODI1 MTM4ZDY4NjU5ZTJkNGUgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL2xvYWRlci9MaW5rTG9h ZGVyLmNwcAorKysgYi9Tb3VyY2UvV2ViQ29yZS9sb2FkZXIvTGlua0xvYWRlci5jcHAKQEAgLTIx NCw3ICsyMTQsNyBAQCB2b2lkIExpbmtMb2FkZXI6OnByZWNvbm5lY3RJZk5lZWRlZChjb25zdCBM aW5rTG9hZFBhcmFtZXRlcnMmIHBhcmFtcywgRG9jdW1lbnQmCiAgICAgICAgIHJldHVybjsKICAg ICBBU1NFUlQoZG9jdW1lbnQuc2V0dGluZ3MoKS5saW5rUHJlY29ubmVjdEVuYWJsZWQoKSk7CiAg ICAgU3RvcmVkQ3JlZGVudGlhbHNQb2xpY3kgc3RvcmFnZUNyZWRlbnRpYWxzUG9saWN5ID0gU3Rv cmVkQ3JlZGVudGlhbHNQb2xpY3k6OlVzZTsKLSAgICBpZiAoZXF1YWxMZXR0ZXJzSWdub3JpbmdB U0NJSUNhc2UocGFyYW1zLmNyb3NzT3JpZ2luLCAiYW5vbnltb3VzIl9zKSAmJiBkb2N1bWVudC5z ZWN1cml0eU9yaWdpbigpLmlzU2FtZU9yaWdpbkRvbWFpbihTZWN1cml0eU9yaWdpbjo6Y3JlYXRl KGhyZWYpKSkKKyAgICBpZiAoZXF1YWxMZXR0ZXJzSWdub3JpbmdBU0NJSUNhc2UocGFyYW1zLmNy b3NzT3JpZ2luLCAiYW5vbnltb3VzIl9zKSAmJiAhZG9jdW1lbnQuc2VjdXJpdHlPcmlnaW4oKS5p c1NhbWVPcmlnaW5Eb21haW4oU2VjdXJpdHlPcmlnaW46OmNyZWF0ZShocmVmKSkpCiAgICAgICAg IHN0b3JhZ2VDcmVkZW50aWFsc1BvbGljeSA9IFN0b3JlZENyZWRlbnRpYWxzUG9saWN5OjpEb05v dFVzZTsKICAgICBBU1NFUlQoZG9jdW1lbnQuZnJhbWUoKS0+bG9hZGVyKCkubmV0d29ya2luZ0Nv bnRleHQoKSk7CiAgICAgcGxhdGZvcm1TdHJhdGVnaWVzKCktPmxvYWRlclN0cmF0ZWd5KCktPnBy ZWNvbm5lY3RUbyhkb2N1bWVudC5mcmFtZSgpLT5sb2FkZXIoKSwgaHJlZiwgc3RvcmFnZUNyZWRl bnRpYWxzUG9saWN5LCBMb2FkZXJTdHJhdGVneTo6U2hvdWxkUHJlY29ubmVjdEFzRmlyc3RQYXJ0 eTo6Tm8sIFt3ZWFrRG9jdW1lbnQgPSBXZWFrUHRyIHsgZG9jdW1lbnQgfSwgaHJlZl0oUmVzb3Vy Y2VFcnJvciBlcnJvcikgewo=