Bug 83333
| Summary: | DocumentThreadableLoader doesn't remove credentials from preflight requests. | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Bill Budge <bbudge> |
| Component: | Platform | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | ap, fishd, levin |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | All | ||
| OS: | All | ||
Bill Budge
This came up on StackOverflow:
http://stackoverflow.com/questions/9830436/why-does-chrome-send-user-credentials-with-preflighed-cors-request
It looks like the logic in DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight is conforming to an earlier version of the standard, and potentially allowing cookies in the preflight request:
void DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight(const ResourceRequest& request)
{
ResourceRequest preflightRequest = createAccessControlPreflightRequest(request, securityOrigin(), m_options.allowCredentials);
loadRequest(preflightRequest, DoSecurityCheck);
}
The 'createAccessControlPreflightRequest' method shouldn't have that last parameter.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Alexey Proskuryakov
*** This bug has been marked as a duplicate of bug 37676 ***