272682 – Timing-Allow-Origin works with 302

Bug 272682 - Timing-Allow-Origin works with 302

Summary: Timing-Allow-Origin works with 302

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Page Loading (show other bugs)
Version:	Safari 17
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	youenn fablet

URL:
Keywords:	BrowserCompat, InRadar

Depends on:
Blocks:

Reported:	2024-04-15 08:04 PDT by jannis.rautenstrauch
Modified:	2024-05-07 03:17 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description jannis.rautenstrauch 2024-04-15 08:04:54 PDT

If a response with status code 302 sets a timing-allow-origin header, WebKit grants reading access (same as for status code 200).

Firefox and Chromium do not apply the timing-allow-origin header on a 302 response.
I am not sure if the specifications say anything about this edge case. As the other two implementations agree, I filed the bug here.

Example URL: https://sub.headers.websec.saarland/_hp/tests/perfAPI-tao.sub.html?resp_type=basic&browser_id=1&label=TAO&first_id=217&last_id=217&scheme=https&t_resp_id=217&t_element_relation=img_direct&t_resp_origin=https://headers.webappsec.eu
- Response with status code 302 sets 'timing-allow-origin: *'
- "requestStart != 0": true in WebKit
- "requestStart != 0": false in Firefox, Chromium

Comment 1 Radar WebKit Bug Importer 2024-04-15 22:36:33 PDT

<rdar://problem/126531139>

Comment 2 youenn fablet 2024-04-17 02:03:00 PDT

Pull request: https://github.com/WebKit/WebKit/pull/27377

Comment 3 EWS 2024-05-07 03:17:52 PDT

Committed 278448@main (6a2c5a304253): <https://commits.webkit.org/278448@main>

Reviewed commits have been landed. Closing PR #27377 and removing active labels.