Bug 171566 - crossorigin="anonymous" resource loads are anonymous even for same-origin
Summary: crossorigin="anonymous" resource loads are anonymous even for same-origin
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Daniel Bates
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2017-05-02 13:37 PDT by Patrick Toomey
Modified: 2019-09-11 11:16 PDT (History)
13 users (show)

See Also:


Attachments
Patch (5.35 KB, patch)
2017-05-03 22:04 PDT, youenn fablet
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Patrick Toomey 2017-05-02 13:37:48 PDT
A group of colleagues of mine noticed that a session cookie was not being sent with a script request that looked something like this:


<script src="./anonymous.js" crossorigin="anonymous"></script>


It looks as though Safari treats any resource request with the crossorigin="anonymous" attribute as anonymous. But, this is only meant to apply for cross-origin requests. I setup a temporary PoC test page (the contents can be seen below) that can be viewed on Heroku (https://infinite-bayou-16019.herokuapp.com). The two endpoints reflect back a JS response based on whether a cookie is sent along with the JS fetch. Chrome and Firefox send cookies for both fetches, while Safari only sends it on the non-anonymous fetch. 


  <html>
    <head>
      <script src="./non_anonymous.js"></script>
      <script src="./anonymous.js" crossorigin="anonymous"></script>
    </head>
    <body>
      <h1>Echo some cookies!</h1>
    </body>
  </html>
Comment 1 youenn fablet 2017-05-03 17:21:16 PDT
Thanks for filing this bug.
We should set credential mode to same-origin in that case, which I believe would do what you are suggesting.
Will try to look at it further.

Are you seeing that for other resource types?
Comment 2 youenn fablet 2017-05-03 22:04:41 PDT
Created attachment 309016 [details]
Patch
Comment 3 Radar WebKit Bug Importer 2018-05-01 10:11:52 PDT
<rdar://problem/39869363>