NEW276364
XMLHttpRequest without credentials fails with CORS error on redirections 
https://bugs.webkit.org/show_bug.cgi?id=276364
Summary XMLHttpRequest without credentials fails with CORS error on redirections
Przemyslaw Gorszkowski
Reported 2024-07-09 05:19:12 PDT
The problem was reported for WPE: https://github.com/WebPlatformForEmbedded/WPEWebKit/issues/1361 but it can be reproduced also for GTK or safari(iphone). The steps to reproduce: 1. make a XMLHTTPRequest without credentials to same origin (same_origin_redirect) const xhr = new XMLHttpRequest(); xhr.open("GET", "http://same_origin/same_origin_redirect.php", true); xhr.send(null); 2. same_origin_redirect.php redirects to different origin: <?php header("Access-Control-Allow-Origin: *"); header("HTTP/1.1 301 Moved Permanently"); header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate"); header("Location: http://different_origin/different_origin_redirect.php"); ?> 3. different_origin_redirect.php redirects to same origin: <?php header("Access-Control-Allow-Origin: *"); header("HTTP/1.1 301 Moved Permanently"); header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate"); header("Location: http://same_origin/same_origin_target.php"); ?> 4. same_origin_targe.php: <?php header("Access-Control-Allow-Origin: *"); ?> <html> <head> </head> <body style="background-color:white"> <p style="font-weight: 600;">Wildcard CORS</p><br /> <p>Status: <strong id="status">SUCCESS</strong></p> </body> </html> The last redirect fails because of: [Error] Cross-origin redirection to http://same_origin/same_origin_target.php denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. [Error] Failed to load resource: Cross-origin redirection to http://same_origin/same_origin_target.php denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. (same_origin_redirect.php, line 0) [Error] XMLHttpRequest cannot load http://different_origin/different_origin_redirect.php due to access control checks. The problem can be also reproduced with LayoutTest with similar case (I will add the case in LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html in PR).
Attachments
Add attachment proposed patch, testcase, etc.
Przemyslaw Gorszkowski
Comment 1 2024-07-09 05:31:54 PDT
The problem does not exist on FF or Chrome (Chromium)
Przemyslaw Gorszkowski
Comment 2 2024-07-09 05:42:09 PDT
The Fetch specification describes in which cases "*" Access-Control-Allow-Origin are allowed for which credentials modes: https://fetch.spec.whatwg.org/#cors-protocol-and-credentials The problem in webkit seems to be implementation of the "passesAccessControlCheck" from: https://github.com/WebKit/WebKit/blob/main/Source/WebCore/loader/CrossOriginAccessControl.cpp#L266 The "passesAccessControlCheck" uses "StoredCredentialsPolicy" while probably it should use "FetchOptionsCredentials" to handle it correctly. Chromium implementation: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/services/network/public/cpp/cors/cors.cc#144
Przemyslaw Gorszkowski
Comment 3 2024-07-10 01:19:29 PDT
Pull request: https://github.com/WebKit/WebKit/pull/30638
Radar WebKit Bug Importer
Comment 4 2024-07-16 05:20:12 PDT
<rdar://problem/131831204>
Note You need to log in before you can comment on or make changes to this bug.