Bug 146650

Summary: Origin not sent on anonymous async JS requests
Product: WebKit Reporter: Patrick Toomey <ptoomey3>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, bfulgham, ptoomey3, timmfin, trevorburnham, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: OS X 10.10   

Description Patrick Toomey 2015-07-06 12:00:02 PDT 
We had some CORS logic that relied on looking at the `Origin` header for setting the appropriate `Access-Control-Allow-Origin` response. The page that relied on this looked something like:

```
<html>
...
<script crossorigin="anonymous" src="..."></script>
<script async="async" crossorigin="anonymous" src="..."></script>
<script async="async" crossorigin="anonymous" src="..."></script>
...
</html>
```

We noticed that only the first JS request included the `Origin` header. The two async requests did not include it. Even more strangely, it seems like the non-async resource acts like some sort of toggle that prevents `Origin` from being added for all future JS resource requests. For example:

```
# The below will send `Origin` for the first request and not for the second and third
<script some-non-async...>
<script async="async"...>
<script async="async"...>

# The below will send `Origin` for the first and second request and not the third
<script async="async"...>
<script some-non-async...>
<script async="async"...>

# The below will send `Origin` for all the requests
<script async="async"...>
<script async="async"...>
<script some-non-async...>
```

This behavior is reproducible on the latest Safari as well as the latest WebKit nightly.
Comment 1 Radar WebKit Bug Importer 2015-07-11 06:06:34 PDT 
<rdar://problem/21781367>
Comment 2 Tim Finley 2015-07-14 13:31:17 PDT 
I also just ran into this. I am on Safari Version 7.1.6 (9537.85.15.3)
Comment 3 Trevor Burnham 2015-07-14 13:43:46 PDT 
In addition to the Safari version Tim Finley mentioned, I've been able to reproduce this in:

* Version 8.0.7 (10600.7.12)
* Version 6.1 (8537.71)
* Version 6.0.5 (7536.30.1)
Comment 4 Tim Finley 2016-10-21 09:39:47 PDT 
Note, this seems to be fixed in Safari 10 on Sierra (but still doesn't work in Safari 9.1 in El Capitan)
Comment 5 Brent Fulgham 2020-08-28 15:21:14 PDT 
Closing based on reporter's statement about Safari 10.