While loading is deferred, incoming headers are buffered until loading resumes. But new requests (which need to read cookie headers) can be created, and these are expected to include the cookies from those requests. A specific scenario is when request receives a 401 response with a Set-Cookie header is received. First NetworkJob is signalled that there was an authentication failure and credentials are needed, so it opens a password dialog and defers loading until it is closed. Then the headers and data from the response arrive and are buffered. After the user closes the dialog, first the credentials are processed - meaning a followup request is created, identical to the original but with new Cookie and Authorization headers - and then loading is resumed - and now the Set-Cookie headers are processed. Since some custom auth schemes depend on setting a cookie with the 401 response and receiving it back with the followup, the cookies from the Set-Cookie headers must be added to the cookie jar before creating the followup request, even if loading is deferred due to the auth dialog.
Created attachment 190740 [details] fix
Comment on attachment 190740 [details] fix based on Leo's review
Comment on attachment 190740 [details] fix Clearing flags on attachment: 190740 Committed r144326: <http://trac.webkit.org/changeset/144326>
All reviewed patches have been landed. Closing bug.