RESOLVED FIXED Bug 239119
<link rel=preconnect> always sends credentials to different-origin, ignoring crossorigin=anonymous 
https://bugs.webkit.org/show_bug.cgi?id=239119
Summary <link rel=preconnect> always sends credentials to different-origin, ignoring ...
Noam Rosenthal
Reported 2022-04-12 02:35:15 PDT
Given <link rel=preconnect href="https://some-other-origin" crossorigin=anonymous> I believe from reading the code that the "anonymous" bit would be ignored: Looking at Source/WebCore/loader/LinkLoader.cpp, line 217: if (equalIgnoringASCIICase(params.crossOrigin, "anonymous") && document.securityOrigin().isSameOriginDomain(SecurityOrigin::create(href))) storageCredentialsPolicy = StoredCredentialsPolicy::DoNotUse; If I understand this line correctly, it would mean something like: useCredentials = link.crossorigin != 'anonymous' || !same_origin(link.href, document.origin) So any preconnect to a different-origin href would send credentials :( https://github.com/WebKit/WebKit/blob/8a5b17627ecd1a551b59978434f64378b4943bc7/Source/WebCore/loader/LinkLoader.cpp#L217 (It's a bit difficult to WPT this or show how this is ...)
Attachments
Patch (2.13 KB, patch)
2022-04-26 05:02 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
Patch for landing (2.13 KB, patch)
2022-04-27 00:46 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-04-12 12:48:46 PDT
<rdar://problem/91643534>
youenn fablet
Comment 2 2022-04-26 05:02:33 PDT
Created attachment 458352 [details] Patch
John Wilander
Comment 3 2022-04-26 08:13:30 PDT
Comment on attachment 458352 [details] Patch r=me
EWS
Comment 4 2022-04-26 23:49:35 PDT
Tools/Scripts/svn-apply failed to apply attachment 458352 [details] to trunk. Please resolve the conflicts and upload a new patch.
youenn fablet
Comment 5 2022-04-27 00:46:30 PDT
Created attachment 458427 [details] Patch for landing
EWS
Comment 6 2022-04-27 03:37:17 PDT
Committed r293503 (250034@main): <https://commits.webkit.org/250034@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 458427 [details].
Note You need to log in before you can comment on or make changes to this bug.