Bug 171566

Summary: crossorigin="anonymous" resource loads are anonymous even for same-origin
Product: WebKit Reporter: Patrick Toomey <ptoomey3>
Component: Page LoadingAssignee: Daniel Bates <dbates>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: achristensen, beidson, buildbot, cdumez, dbates, dpaddock, hallo, japhet, kj.kim, ljharb, ptoomey3, sean, webkit-bug-importer, wilander, youennf, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=171550
Attachments:
Description Flags
Patch none

Patrick Toomey
Reported 2017-05-02 13:37:48 PDT
A group of colleagues of mine noticed that a session cookie was not being sent with a script request that looked something like this: <script src="./anonymous.js" crossorigin="anonymous"></script> It looks as though Safari treats any resource request with the crossorigin="anonymous" attribute as anonymous. But, this is only meant to apply for cross-origin requests. I setup a temporary PoC test page (the contents can be seen below) that can be viewed on Heroku (https://infinite-bayou-16019.herokuapp.com). The two endpoints reflect back a JS response based on whether a cookie is sent along with the JS fetch. Chrome and Firefox send cookies for both fetches, while Safari only sends it on the non-anonymous fetch. <html> <head> <script src="./non_anonymous.js"></script> <script src="./anonymous.js" crossorigin="anonymous"></script> </head> <body> <h1>Echo some cookies!</h1> </body> </html>
Attachments
Patch (5.35 KB, patch)
2017-05-03 22:04 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
youenn fablet
Comment 1 2017-05-03 17:21:16 PDT
Thanks for filing this bug. We should set credential mode to same-origin in that case, which I believe would do what you are suggesting. Will try to look at it further. Are you seeing that for other resource types?
youenn fablet
Comment 2 2017-05-03 22:04:41 PDT
Created attachment 309016 [details] Patch
Radar WebKit Bug Importer
Comment 3 2018-05-01 10:11:52 PDT
<rdar://problem/39869363>
Christian Haller
Comment 4 2020-05-20 04:44:49 PDT
Three years later and it's still grinding my gears
youenn fablet
Comment 5 2020-05-20 05:50:28 PDT
@Christian Haller, I believe we have fixed this issue. Testing https://infinite-bayou-16019.herokuapp.com/, it seems to work. From code inspection, we are now correctly setting FetchOptions::Credentials::SameOrigin for anonymous loads. Would you be able to provide a jsfiddle with your issue? I'll close this bug for now. Please reopen it if you think this issue is not solved or create a new bug if this is actually a different issue.
Yusuke Suzuki
Comment 6 2020-05-20 11:38:42 PDT
Yes, this is fixed in https://trac.webkit.org/changeset/260038/webkit, and in STP 105 https://webkit.org/blog/10428/release-notes-for-safari-technology-preview-105/ *** This bug has been marked as a duplicate of bug 210326 ***
Christian Haller
Comment 7 2020-05-20 13:18:16 PDT
Nice, it works in Safari Technology Preview 106 👍🏻😍
Note You need to log in before you can comment on or make changes to this bug.