276364 2024-07-09 05:19:12 -0700 XMLHttpRequest without credentials fails with CORS error on redirections 2024-07-16 05:20:12 -0700 1 1 1 Unclassified WebKit Page Loading WebKit Nightly Build All All NEW InRadar P2 Normal --- 1 pgorszkowski pgorszkowski achristensen annevk beidson m_finkel webkit-bug-importer wilander youennf oldest_to_newest 2045287 0 pgorszkowski 2024-07-09 05:19:12 -0700 The problem was reported for WPE: https://github.com/WebPlatformForEmbedded/WPEWebKit/issues/1361 but it can be reproduced also for GTK or safari(iphone). The steps to reproduce: 1. make a XMLHTTPRequest without credentials to same origin (same_origin_redirect) const xhr = new XMLHttpRequest(); xhr.open("GET", "http://same_origin/same_origin_redirect.php", true); xhr.send(null); 2. same_origin_redirect.php redirects to different origin: <?php header("Access-Control-Allow-Origin: *"); header("HTTP/1.1 301 Moved Permanently"); header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate"); header("Location: http://different_origin/different_origin_redirect.php"); ?> 3. different_origin_redirect.php redirects to same origin: <?php header("Access-Control-Allow-Origin: *"); header("HTTP/1.1 301 Moved Permanently"); header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate"); header("Location: http://same_origin/same_origin_target.php"); ?> 4. same_origin_targe.php: <?php header("Access-Control-Allow-Origin: *"); ?> <html> <head> </head> <body style="background-color:white"> <p style="font-weight: 600;">Wildcard CORS</p><br /> <p>Status: <strong id="status">SUCCESS</strong></p> </body> </html> The last redirect fails because of: [Error] Cross-origin redirection to http://same_origin/same_origin_target.php denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. [Error] Failed to load resource: Cross-origin redirection to http://same_origin/same_origin_target.php denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. (same_origin_redirect.php, line 0) [Error] XMLHttpRequest cannot load http://different_origin/different_origin_redirect.php due to access control checks. The problem can be also reproduced with LayoutTest with similar case (I will add the case in LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html in PR). 2045288 1 pgorszkowski 2024-07-09 05:31:54 -0700 The problem does not exist on FF or Chrome (Chromium) 2045290 2 pgorszkowski 2024-07-09 05:42:09 -0700 The Fetch specification describes in which cases "*" Access-Control-Allow-Origin are allowed for which credentials modes: https://fetch.spec.whatwg.org/#cors-protocol-and-credentials The problem in webkit seems to be implementation of the "passesAccessControlCheck" from: https://github.com/WebKit/WebKit/blob/main/Source/WebCore/loader/CrossOriginAccessControl.cpp#L266 The "passesAccessControlCheck" uses "StoredCredentialsPolicy" while probably it should use "FetchOptionsCredentials" to handle it correctly. Chromium implementation: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/services/network/public/cpp/cors/cors.cc#144 2045485 3 pgorszkowski 2024-07-10 01:19:29 -0700 Pull request: https://github.com/WebKit/WebKit/pull/30638 2046457 4 webkit-bug-importer 2024-07-16 05:20:12 -0700 <rdar://problem/131831204>