Bug 83333

Summary: DocumentThreadableLoader doesn't remove credentials from preflight requests.
Product: WebKit Reporter: Bill Budge <bbudge>
Component: PlatformAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: ap, fishd, levin
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   

Description Bill Budge 2012-04-05 17:04:51 PDT 
This came up on StackOverflow:
http://stackoverflow.com/questions/9830436/why-does-chrome-send-user-credentials-with-preflighed-cors-request

It looks like the logic in DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight is conforming to an earlier version of the standard, and potentially allowing cookies in the preflight request:

void DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight(const ResourceRequest& request)
{
    ResourceRequest preflightRequest = createAccessControlPreflightRequest(request, securityOrigin(), m_options.allowCredentials);
    loadRequest(preflightRequest, DoSecurityCheck);
}

The 'createAccessControlPreflightRequest' method shouldn't have that last parameter.
Comment 1 Alexey Proskuryakov 2012-04-05 17:18:25 PDT 

*** This bug has been marked as a duplicate of bug 37676 ***