Bug 239119

Summary: <link rel=preconnect> always sends credentials to different-origin, ignoring crossorigin=anonymous
Product: WebKit Reporter: Noam Rosenthal <noam>
Component: Page LoadingAssignee: youenn fablet <youennf>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, beidson, cdumez, ews-watchlist, japhet, webkit-bug-importer, wilander, yoav, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch for landing none

Noam Rosenthal
Reported 2022-04-12 02:35:15 PDT
Given <link rel=preconnect href="https://some-other-origin" crossorigin=anonymous> I believe from reading the code that the "anonymous" bit would be ignored: Looking at Source/WebCore/loader/LinkLoader.cpp, line 217: if (equalIgnoringASCIICase(params.crossOrigin, "anonymous") && document.securityOrigin().isSameOriginDomain(SecurityOrigin::create(href))) storageCredentialsPolicy = StoredCredentialsPolicy::DoNotUse; If I understand this line correctly, it would mean something like: useCredentials = link.crossorigin != 'anonymous' || !same_origin(link.href, document.origin) So any preconnect to a different-origin href would send credentials :( https://github.com/WebKit/WebKit/blob/8a5b17627ecd1a551b59978434f64378b4943bc7/Source/WebCore/loader/LinkLoader.cpp#L217 (It's a bit difficult to WPT this or show how this is ...)
Attachments
Patch (2.13 KB, patch)
2022-04-26 05:02 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
Patch for landing (2.13 KB, patch)
2022-04-27 00:46 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-04-12 12:48:46 PDT
<rdar://problem/91643534>
youenn fablet
Comment 2 2022-04-26 05:02:33 PDT
Created attachment 458352 [details] Patch
John Wilander
Comment 3 2022-04-26 08:13:30 PDT
Comment on attachment 458352 [details] Patch r=me
EWS
Comment 4 2022-04-26 23:49:35 PDT
Tools/Scripts/svn-apply failed to apply attachment 458352 [details] to trunk. Please resolve the conflicts and upload a new patch.
youenn fablet
Comment 5 2022-04-27 00:46:30 PDT
Created attachment 458427 [details] Patch for landing
EWS
Comment 6 2022-04-27 03:37:17 PDT
Committed r293503 (250034@main): <https://commits.webkit.org/250034@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 458427 [details].
Note You need to log in before you can comment on or make changes to this bug.