Bug 276364
| Summary: | XMLHttpRequest without credentials fails with CORS error on redirections | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Przemyslaw Gorszkowski <pgorszkowski> |
| Component: | Page Loading | Assignee: | Przemyslaw Gorszkowski <pgorszkowski> |
| Status: | NEW | ||
| Severity: | Normal | CC: | achristensen, annevk, beidson, m_finkel, webkit-bug-importer, wilander, youennf |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | All | ||
| OS: | All | ||
Przemyslaw Gorszkowski
The problem was reported for WPE: https://github.com/WebPlatformForEmbedded/WPEWebKit/issues/1361 but it can be reproduced also for GTK or safari(iphone). The steps to reproduce:
1. make a XMLHTTPRequest without credentials to same origin (same_origin_redirect)
const xhr = new XMLHttpRequest();
xhr.open("GET", "http://same_origin/same_origin_redirect.php", true);
xhr.send(null);
2. same_origin_redirect.php redirects to different origin:
<?php
header("Access-Control-Allow-Origin: *");
header("HTTP/1.1 301 Moved Permanently");
header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate");
header("Location: http://different_origin/different_origin_redirect.php");
?>
3. different_origin_redirect.php redirects to same origin:
<?php
header("Access-Control-Allow-Origin: *");
header("HTTP/1.1 301 Moved Permanently");
header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate");
header("Location: http://same_origin/same_origin_target.php");
?>
4. same_origin_targe.php:
<?php
header("Access-Control-Allow-Origin: *");
?>
<html>
<head>
</head>
<body style="background-color:white">
<p style="font-weight: 600;">Wildcard CORS</p><br />
<p>Status: <strong id="status">SUCCESS</strong></p>
</body>
</html>
The last redirect fails because of:
[Error] Cross-origin redirection to http://same_origin/same_origin_target.php denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
[Error] Failed to load resource: Cross-origin redirection to http://same_origin/same_origin_target.php denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. (same_origin_redirect.php, line 0)
[Error] XMLHttpRequest cannot load http://different_origin/different_origin_redirect.php due to access control checks.
The problem can be also reproduced with LayoutTest with similar case (I will add the case in LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html in PR).
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Przemyslaw Gorszkowski
The problem does not exist on FF or Chrome (Chromium)
Przemyslaw Gorszkowski
The Fetch specification describes in which cases "*" Access-Control-Allow-Origin are allowed for which credentials modes:
https://fetch.spec.whatwg.org/#cors-protocol-and-credentials
The problem in webkit seems to be implementation of the "passesAccessControlCheck" from: https://github.com/WebKit/WebKit/blob/main/Source/WebCore/loader/CrossOriginAccessControl.cpp#L266
The "passesAccessControlCheck" uses "StoredCredentialsPolicy" while probably it should use "FetchOptionsCredentials" to handle it correctly.
Chromium implementation: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/services/network/public/cpp/cors/cors.cc#144
Przemyslaw Gorszkowski
Pull request: https://github.com/WebKit/WebKit/pull/30638
Radar WebKit Bug Importer
<rdar://problem/131831204>