Bug 208035 - WKWebViewConfiguration._corsDisablingPatterns should also disable CORS for script tags with crossorigin attributes
Summary: WKWebViewConfiguration._corsDisablingPatterns should also disable CORS for sc...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Alex Christensen
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-02-20 15:32 PST by Alex Christensen
Modified: 2020-02-26 17:42 PST (History)
8 users (show)

See Also:

Attachments
Patch (5.23 KB, patch)
2020-02-20 15:33 PST, Alex Christensen 		timothy: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Christensen 2020-02-20 15:32:12 PST 
WKWebViewConfiguration._corsDisablingPatterns should also disable CORS for script tags with crossorigin attributes
Comment 1 Alex Christensen 2020-02-20 15:33:48 PST 
Created attachment 391344 [details]
Patch
Comment 2 Alex Christensen 2020-02-20 15:33:51 PST 
<rdar://problem/58011337>
Comment 3 youenn fablet 2020-02-21 02:40:18 PST 
Comment on attachment 391344 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=391344&action=review

> Source/WebCore/loader/CrossOriginAccessControl.cpp:131
> +    if (options.mode != FetchOptions::Mode::NoCors) {

If the goal is to change the behaviour for scripts only (as seems to indicate the bug title), I believe we should do the change in CachedScriptFetcher.
If we want to do this for all loads, maybe we should update the option in CachedResourceLoader instead.
Note also that this change is visible from service workers.
Comment 4 Alex Christensen 2020-02-21 07:29:22 PST 
We do want it for everything, the title just reflects that we found this through scripts.  We should change the title, and maybe move this logic to CachedResourceLoader
Comment 5 Alex Christensen 2020-02-24 10:12:41 PST 
I changed the title.
http://trac.webkit.org/r257215
Attempts to move this to CachedResourceLoader failed.  The only relevant code in that class that is hit in this test is CachedResourceLoader::requestResource and changing the CORS mode then seems too late because it just times out.
Comment 6 Alex Christensen 2020-02-26 17:42:47 PST 
https://trac.webkit.org/changeset/257215/webkit