We had some CORS logic that relied on looking at the `Origin` header for setting the appropriate `Access-Control-Allow-Origin` response. The page that relied on this looked something like: ``` <html> ... <script crossorigin="anonymous" src="..."></script> <script async="async" crossorigin="anonymous" src="..."></script> <script async="async" crossorigin="anonymous" src="..."></script> ... </html> ``` We noticed that only the first JS request included the `Origin` header. The two async requests did not include it. Even more strangely, it seems like the non-async resource acts like some sort of toggle that prevents `Origin` from being added for all future JS resource requests. For example: ``` # The below will send `Origin` for the first request and not for the second and third <script some-non-async...> <script async="async"...> <script async="async"...> # The below will send `Origin` for the first and second request and not the third <script async="async"...> <script some-non-async...> <script async="async"...> # The below will send `Origin` for all the requests <script async="async"...> <script async="async"...> <script some-non-async...> ``` This behavior is reproducible on the latest Safari as well as the latest WebKit nightly.
<rdar://problem/21781367>
I also just ran into this. I am on Safari Version 7.1.6 (9537.85.15.3)
In addition to the Safari version Tim Finley mentioned, I've been able to reproduce this in: * Version 8.0.7 (10600.7.12) * Version 6.1 (8537.71) * Version 6.0.5 (7536.30.1)
Note, this seems to be fixed in Safari 10 on Sierra (but still doesn't work in Safari 9.1 in El Capitan)
Closing based on reporter's statement about Safari 10.