83333 – DocumentThreadableLoader doesn't remove credentials from preflight requests.

Bug 83333 - DocumentThreadableLoader doesn't remove credentials from preflight requests.

Summary: DocumentThreadableLoader doesn't remove credentials from preflight requests.

Status:	RESOLVED DUPLICATE of bug 37676

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Platform (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-04-05 17:04 PDT by Bill Budge
Modified:	2012-04-05 17:18 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bill Budge 2012-04-05 17:04:51 PDT

This came up on StackOverflow:
http://stackoverflow.com/questions/9830436/why-does-chrome-send-user-credentials-with-preflighed-cors-request

It looks like the logic in DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight is conforming to an earlier version of the standard, and potentially allowing cookies in the preflight request:

void DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight(const ResourceRequest& request)
{
    ResourceRequest preflightRequest = createAccessControlPreflightRequest(request, securityOrigin(), m_options.allowCredentials);
    loadRequest(preflightRequest, DoSecurityCheck);
}

The 'createAccessControlPreflightRequest' method shouldn't have that last parameter.

Comment 1 Alexey Proskuryakov 2012-04-05 17:18:25 PDT


*** This bug has been marked as a duplicate of bug 37676 ***