83333 – DocumentThreadableLoader doesn't remove credentials from preflight requests.

RESOLVED DUPLICATE of bug 37676 83333

DocumentThreadableLoader doesn't remove credentials from preflight requests.

https://bugs.webkit.org/show_bug.cgi?id=83333

Summary DocumentThreadableLoader doesn't remove credentials from preflight requests.

Bill Budge

Reported 2012-04-05 17:04:51 PDT

This came up on StackOverflow: http://stackoverflow.com/questions/9830436/why-does-chrome-send-user-credentials-with-preflighed-cors-request It looks like the logic in DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight is conforming to an earlier version of the standard, and potentially allowing cookies in the preflight request: void DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight(const ResourceRequest& request) { ResourceRequest preflightRequest = createAccessControlPreflightRequest(request, securityOrigin(), m_options.allowCredentials); loadRequest(preflightRequest, DoSecurityCheck); } The 'createAccessControlPreflightRequest' method shouldn't have that last parameter.

Attachments
Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2012-04-05 17:18:25 PDT

*** This bug has been marked as a duplicate of bug 37676 ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 37676

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component Platform

Assignee

Nobody

Reported

2012-04-05 17:04 PDT

Modified

2012-04-05 17:18 PDT History

CC List

3 users Show

URL

Keywords

Depends on

Blocks