RESOLVED FIXED272682
Timing-Allow-Origin works with 302 
https://bugs.webkit.org/show_bug.cgi?id=272682
Summary Timing-Allow-Origin works with 302
jannis.rautenstrauch
Reported 2024-04-15 08:04:54 PDT
If a response with status code 302 sets a timing-allow-origin header, WebKit grants reading access (same as for status code 200). Firefox and Chromium do not apply the timing-allow-origin header on a 302 response. I am not sure if the specifications say anything about this edge case. As the other two implementations agree, I filed the bug here. Example URL: https://sub.headers.websec.saarland/_hp/tests/perfAPI-tao.sub.html?resp_type=basic&browser_id=1&label=TAO&first_id=217&last_id=217&scheme=https&t_resp_id=217&t_element_relation=img_direct&t_resp_origin=https://headers.webappsec.eu - Response with status code 302 sets 'timing-allow-origin: *' - "requestStart != 0": true in WebKit - "requestStart != 0": false in Firefox, Chromium
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-04-15 22:36:33 PDT
<rdar://problem/126531139>
youenn fablet
Comment 2 2024-04-17 02:03:00 PDT
Pull request: https://github.com/WebKit/WebKit/pull/27377
EWS
Comment 3 2024-05-07 03:17:52 PDT
Committed 278448@main (6a2c5a304253): <https://commits.webkit.org/278448@main> Reviewed commits have been landed. Closing PR #27377 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.