<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[283565] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/283565">283565</a></dd>
<dt>Author</dt> <dd>cdumez@apple.com</dd>
<dt>Date</dt> <dd>2021-10-05 11:48:10 -0700 (Tue, 05 Oct 2021)</dd>
</dl>

<h3>Log Message</h3>
<pre>Authorization header lost on 30x redirects
https://bugs.webkit.org/show_bug.cgi?id=230935
<rdar://problem/83689955>

Reviewed by Darin Adler.

Source/WebCore:

CFNetwork drops the Authorization request header in cases of same-origin redirects, which is not as per
the fetch specification [1] and doesn't match the behavior of other browsers.

To address the issue, WebKit adds the Authorization request back in case of a same-origin redirect.

Test: http/tests/fetch/fetch-redirect-same-origin-authorization.html

* platform/network/cf/ResourceHandleCFNet.cpp:
(WebCore::ResourceHandle::willSendRequest):
* platform/network/mac/ResourceHandleMac.mm:
(WebCore::ResourceHandle::willSendRequest):

Source/WebKit:

CFNetwork drops the Authorization request header in cases of same-origin redirects, which is not as per
the fetch specification [1] and doesn't match the behavior of other browsers.

To address the issue, WebKit adds the Authorization request back in case of a same-origin redirect.

[1] https://fetch.spec.whatwg.org/#concept-http-redirect-fetch

* NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:
(WebKit::NetworkDataTaskCocoa::willPerformHTTPRedirection):

LayoutTests:

* http/tests/fetch/fetch-redirect-same-origin-authorization-expected.txt: Added.
* http/tests/fetch/fetch-redirect-same-origin-authorization.html: Added.
* http/tests/fetch/resources/dump-authorization-header.py: Added.
Add layout test coverage.

* http/tests/xmlhttprequest/redirections-and-user-headers.html:
Update existing test to reflect behavior change.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestshttptestsxmlhttprequestredirectionsanduserheadershtml">trunk/LayoutTests/http/tests/xmlhttprequest/redirections-and-user-headers.html</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworkcfResourceHandleCFNetcpp">trunk/Source/WebCore/platform/network/cf/ResourceHandleCFNet.cpp</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworkmacResourceHandleMacmm">trunk/Source/WebCore/platform/network/mac/ResourceHandleMac.mm</a></li>
<li><a href="#trunkSourceWebKitChangeLog">trunk/Source/WebKit/ChangeLog</a></li>
<li><a href="#trunkSourceWebKitNetworkProcesscocoaNetworkDataTaskCocoamm">trunk/Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestsfetchfetchredirectsameoriginauthorizationexpectedtxt">trunk/LayoutTests/http/tests/fetch/fetch-redirect-same-origin-authorization-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestsfetchfetchredirectsameoriginauthorizationhtml">trunk/LayoutTests/http/tests/fetch/fetch-redirect-same-origin-authorization.html</a></li>
<li><a href="#trunkLayoutTestshttptestsfetchresourcesdumpauthorizationheaderpy">trunk/LayoutTests/http/tests/fetch/resources/dump-authorization-header.py</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (283564 => 283565)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog      2021-10-05 18:41:08 UTC (rev 283564)
+++ trunk/LayoutTests/ChangeLog 2021-10-05 18:48:10 UTC (rev 283565)
</span><span class="lines">@@ -1,3 +1,19 @@
</span><ins>+2021-10-05  Chris Dumez  <cdumez@apple.com>
+
+        Authorization header lost on 30x redirects
+        https://bugs.webkit.org/show_bug.cgi?id=230935
+        <rdar://problem/83689955>
+
+        Reviewed by Darin Adler.
+
+        * http/tests/fetch/fetch-redirect-same-origin-authorization-expected.txt: Added.
+        * http/tests/fetch/fetch-redirect-same-origin-authorization.html: Added.
+        * http/tests/fetch/resources/dump-authorization-header.py: Added.
+        Add layout test coverage.
+
+        * http/tests/xmlhttprequest/redirections-and-user-headers.html:
+        Update existing test to reflect behavior change.
+
</ins><span class="cx"> 2021-10-05  Gabriel Nava Marino  <gnavamarino@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Unsupported blending of mixed length types leads to nullptr deref when accessing m_value.calc in CSSPrimitiveValue::primitiveType()
</span></span></pre></div>
<a id="trunkLayoutTestshttptestsfetchfetchredirectsameoriginauthorizationexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/fetch/fetch-redirect-same-origin-authorization-expected.txt (0 => 283565)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/fetch/fetch-redirect-same-origin-authorization-expected.txt                         (rev 0)
+++ trunk/LayoutTests/http/tests/fetch/fetch-redirect-same-origin-authorization-expected.txt    2021-10-05 18:48:10 UTC (rev 283565)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+Tests that the Authorization header is present on same-origin redirect requests.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS authorization is "Foo Bar"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestsfetchfetchredirectsameoriginauthorizationhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/fetch/fetch-redirect-same-origin-authorization.html (0 => 283565)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/fetch/fetch-redirect-same-origin-authorization.html                         (rev 0)
+++ trunk/LayoutTests/http/tests/fetch/fetch-redirect-same-origin-authorization.html    2021-10-05 18:48:10 UTC (rev 283565)
</span><span class="lines">@@ -0,0 +1,20 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<script src="/js-test-resources/js-test.js"></script>
+<script>
+description("Tests that the Authorization header is present on same-origin redirect requests.");
+jsTestIsAsync = true;
+
+fetch("/resources/redirect.py?url=" + encodeURIComponent("/fetch/resources/dump-authorization-header.py"), {
+  headers: {
+    Authorization: 'Foo Bar',
+  },
+}).then((response) => response.text()).then((_data) => {
+    authorization = _data;
+    shouldBeEqualToString("authorization", "Foo Bar");
+    finishJSTest();
+});
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestsfetchresourcesdumpauthorizationheaderpy"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/fetch/resources/dump-authorization-header.py (0 => 283565)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/fetch/resources/dump-authorization-header.py                                (rev 0)
+++ trunk/LayoutTests/http/tests/fetch/resources/dump-authorization-header.py   2021-10-05 18:48:10 UTC (rev 283565)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+#!/usr/bin/env python3
+import base64
+import os
+import sys
+
+sys.stdout.write('Content-Type: text/html\r\n\r\n')
+if os.environ.get('HTTP_AUTHORIZATION'):
+    sys.stdout.write(os.environ['HTTP_AUTHORIZATION'])
+else:
+    sys.stdout.write('Missing Authorization header')
+sys.stdout.flush()
</ins><span class="cx">Property changes on: trunk/LayoutTests/http/tests/fetch/resources/dump-authorization-header.py
</span><span class="cx">___________________________________________________________________
</span></span></pre></div>
<a id="svnexecutable"></a>
<div class="addfile"><h4>Added: svn:executable</h4></div>
<ins>+*
</ins><span class="cx">\ No newline at end of property
</span><a id="trunkLayoutTestshttptestsxmlhttprequestredirectionsanduserheadershtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/xmlhttprequest/redirections-and-user-headers.html (283564 => 283565)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/xmlhttprequest/redirections-and-user-headers.html   2021-10-05 18:41:08 UTC (rev 283564)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/redirections-and-user-headers.html      2021-10-05 18:48:10 UTC (rev 283565)
</span><span class="lines">@@ -7,7 +7,7 @@
</span><span class="cx">   </head>
</span><span class="cx">   <body>
</span><span class="cx">     <script type="text/javascript">
</span><del>-function doTest(testName, testURL, simpleRequest, changeOrigin)
</del><ins>+function doTest(testName, testURL, simpleRequest, crossOriginRedirect)
</ins><span class="cx"> {
</span><span class="cx">   promise_test(function(test) {
</span><span class="cx">     var resolvePromise, rejectPromise;
</span><span class="lines">@@ -31,7 +31,10 @@
</span><span class="cx">         if (!simpleRequest) {
</span><span class="cx">             assert_true(xhr.responseText.indexOf("x-webkit header found: funky") !== -1, "xhr final request should have a x-webkit=funky header");
</span><span class="cx">             assert_true(xhr.responseText.indexOf("content-type header found: rocky") !== -1, "xhr final request should have a content-type=groovy header");
</span><del>-            assert_true(xhr.responseText.indexOf("not found any authorization header") !== -1, "xhr final request should not have an authorization header");
</del><ins>+            if (crossOriginRedirect)
+                assert_true(xhr.responseText.indexOf("not found any authorization header") !== -1, "xhr final request should not have an authorization header");
+            else
+                assert_true(xhr.responseText.indexOf("authorization header found") !== -1, "xhr final request should have an authorization header");
</ins><span class="cx">         }
</span><span class="cx">         testPassed = true;
</span><span class="cx">     }
</span><span class="lines">@@ -50,38 +53,39 @@
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> var simpleRequest = true;
</span><ins>+var crossOriginRedirect = true;
</ins><span class="cx"> 
</span><span class="cx"> doTest("Check headers after same-origin redirection to same-origin resource (simple request)",
</span><span class="cx">         "resources/access-control-preflight-redirect.py?redirect=true&url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-preflight-redirect.py",
</span><del>-        simpleRequest);
</del><ins>+        simpleRequest, !crossOriginRedirect);
</ins><span class="cx"> 
</span><span class="cx"> doTest("Check headers after same-origin redirection to same-origin resource (not simple request)",
</span><span class="cx">         "resources/access-control-preflight-redirect.py?redirect=true&url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-preflight-redirect.py",
</span><del>-        !simpleRequest);
</del><ins>+        !simpleRequest, !crossOriginRedirect);
</ins><span class="cx"> 
</span><span class="cx"> doTest("Check headers after same origin redirection to cross-origin resource (simple request)",
</span><span class="cx">         "resources/access-control-preflight-redirect.py?redirect=true&url=http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py",
</span><del>-        simpleRequest);
</del><ins>+        simpleRequest, crossOriginRedirect);
</ins><span class="cx"> 
</span><span class="cx"> doTest("Check headers after same origin redirection to cross-origin resource (not simple request)",
</span><span class="cx">         "resources/access-control-preflight-redirect.py?redirect=true&url=http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py",
</span><del>-        !simpleRequest);
</del><ins>+        !simpleRequest, crossOriginRedirect);
</ins><span class="cx"> 
</span><span class="cx"> doTest("Check headers after cross-origin redirection to same-origin resource (simple request)",
</span><span class="cx">         "http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py?redirect=true&url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-preflight-redirect.py",
</span><del>-        simpleRequest);
</del><ins>+        simpleRequest, crossOriginRedirect);
</ins><span class="cx"> 
</span><span class="cx"> doTest("Check headers after cross-origin redirection to same-origin resource (not simple request)",
</span><span class="cx">         "http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py?redirect=true&url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-preflight-redirect.py",
</span><del>-        !simpleRequest);
</del><ins>+        !simpleRequest, crossOriginRedirect);
</ins><span class="cx"> 
</span><span class="cx"> doTest("Check headers after cross-origin redirection to cross-origin resource (simple request)",
</span><span class="cx">         "http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py?redirect=true&url=http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py",
</span><del>-        simpleRequest);
</del><ins>+        simpleRequest, !crossOriginRedirect);
</ins><span class="cx"> 
</span><span class="cx"> doTest("Check headers after cross-origin redirection to cross-origin resource (not simple request)",
</span><span class="cx">         "http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py?redirect=true&url=http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py",
</span><del>-        !simpleRequest);
</del><ins>+        !simpleRequest, !crossOriginRedirect);
</ins><span class="cx"> 
</span><span class="cx">     </script>
</span><span class="cx">   </body>
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (283564 => 283565)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog   2021-10-05 18:41:08 UTC (rev 283564)
+++ trunk/Source/WebCore/ChangeLog      2021-10-05 18:48:10 UTC (rev 283565)
</span><span class="lines">@@ -1,3 +1,23 @@
</span><ins>+2021-10-05  Chris Dumez  <cdumez@apple.com>
+
+        Authorization header lost on 30x redirects
+        https://bugs.webkit.org/show_bug.cgi?id=230935
+        <rdar://problem/83689955>
+
+        Reviewed by Darin Adler.
+
+        CFNetwork drops the Authorization request header in cases of same-origin redirects, which is not as per
+        the fetch specification [1] and doesn't match the behavior of other browsers.
+
+        To address the issue, WebKit adds the Authorization request back in case of a same-origin redirect.
+
+        Test: http/tests/fetch/fetch-redirect-same-origin-authorization.html
+
+        * platform/network/cf/ResourceHandleCFNet.cpp:
+        (WebCore::ResourceHandle::willSendRequest):
+        * platform/network/mac/ResourceHandleMac.mm:
+        (WebCore::ResourceHandle::willSendRequest):
+
</ins><span class="cx"> 2021-10-05  Andres Gonzalez  <andresg_22@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Move handling of AXValue from platform wrapper to AX core code.
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworkcfResourceHandleCFNetcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/cf/ResourceHandleCFNet.cpp (283564 => 283565)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/cf/ResourceHandleCFNet.cpp 2021-10-05 18:41:08 UTC (rev 283564)
+++ trunk/Source/WebCore/platform/network/cf/ResourceHandleCFNet.cpp    2021-10-05 18:48:10 UTC (rev 283565)
</span><span class="lines">@@ -288,6 +288,9 @@
</span><span class="cx">         request.clearHTTPAuthorization();
</span><span class="cx">         request.clearHTTPOrigin();
</span><span class="cx">     } else {
</span><ins>+        if (auto authorization = d->m_firstRequest.httpHeaderField(HTTPHeaderName::Authorization); !authorization.isNull())
+            request.setHTTPHeaderField(HTTPHeaderName::Authorization, authorization);
+
</ins><span class="cx">         // Only consider applying authentication credentials if this is actually a redirect and the redirect
</span><span class="cx">         // URL didn't include credentials of its own.
</span><span class="cx">         if (d->m_user.isEmpty() && d->m_password.isEmpty() && !redirectResponse.isNull()) {
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworkmacResourceHandleMacmm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/mac/ResourceHandleMac.mm (283564 => 283565)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/mac/ResourceHandleMac.mm   2021-10-05 18:41:08 UTC (rev 283564)
+++ trunk/Source/WebCore/platform/network/mac/ResourceHandleMac.mm      2021-10-05 18:48:10 UTC (rev 283565)
</span><span class="lines">@@ -444,6 +444,9 @@
</span><span class="cx">         request.clearHTTPAuthorization();
</span><span class="cx">         request.clearHTTPOrigin();
</span><span class="cx">     } else {
</span><ins>+        if (auto authorization = d->m_firstRequest.httpHeaderField(HTTPHeaderName::Authorization); !authorization.isNull())
+            request.setHTTPHeaderField(HTTPHeaderName::Authorization, authorization);
+
</ins><span class="cx">         // Only consider applying authentication credentials if this is actually a redirect and the redirect
</span><span class="cx">         // URL didn't include credentials of its own.
</span><span class="cx">         if (d->m_user.isEmpty() && d->m_password.isEmpty() && !redirectResponse.isNull()) {
</span></span></pre></div>
<a id="trunkSourceWebKitChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/ChangeLog (283564 => 283565)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/ChangeLog    2021-10-05 18:41:08 UTC (rev 283564)
+++ trunk/Source/WebKit/ChangeLog       2021-10-05 18:48:10 UTC (rev 283565)
</span><span class="lines">@@ -1,3 +1,21 @@
</span><ins>+2021-10-05  Chris Dumez  <cdumez@apple.com>
+
+        Authorization header lost on 30x redirects
+        https://bugs.webkit.org/show_bug.cgi?id=230935
+        <rdar://problem/83689955>
+
+        Reviewed by Darin Adler.
+
+        CFNetwork drops the Authorization request header in cases of same-origin redirects, which is not as per
+        the fetch specification [1] and doesn't match the behavior of other browsers.
+
+        To address the issue, WebKit adds the Authorization request back in case of a same-origin redirect.
+
+        [1] https://fetch.spec.whatwg.org/#concept-http-redirect-fetch
+
+        * NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:
+        (WebKit::NetworkDataTaskCocoa::willPerformHTTPRedirection):
+
</ins><span class="cx"> 2021-10-05  Tim Horton  <timothy_horton@apple.com>
</span><span class="cx"> 
</span><span class="cx">         <model> should be draggable, similar to <img>
</span></span></pre></div>
<a id="trunkSourceWebKitNetworkProcesscocoaNetworkDataTaskCocoamm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm (283564 => 283565)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm 2021-10-05 18:41:08 UTC (rev 283564)
+++ trunk/Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm    2021-10-05 18:48:10 UTC (rev 283565)
</span><span class="lines">@@ -506,8 +506,12 @@
</span><span class="cx">         // we want to strip here because the redirect is cross-origin.
</span><span class="cx">         request.clearHTTPAuthorization();
</span><span class="cx">         request.clearHTTPOrigin();
</span><ins>+
+    } else {
+        if (auto authorization = m_firstRequest.httpHeaderField(WebCore::HTTPHeaderName::Authorization); !authorization.isNull())
+            request.setHTTPHeaderField(WebCore::HTTPHeaderName::Authorization, authorization);
+
</ins><span class="cx"> #if USE(CREDENTIAL_STORAGE_WITH_NETWORK_SESSION)
</span><del>-    } else {
</del><span class="cx">         // Only consider applying authentication credentials if this is actually a redirect and the redirect
</span><span class="cx">         // URL didn't include credentials of its own.
</span><span class="cx">         if (m_user.isEmpty() && m_password.isEmpty() && !redirectResponse.isNull()) {
</span><span class="lines">@@ -518,8 +522,8 @@
</span><span class="cx">                 // FIXME: Support Digest authentication, and Proxy-Authorization.
</span><span class="cx">                 applyBasicAuthorizationHeader(request, m_initialCredential);
</span><span class="cx">             }
</span><ins>+#endif
</ins><span class="cx">         }
</span><del>-#endif
</del><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     if (isTopLevelNavigation())
</span></span></pre>
</div>
</div>

</body>
</html>