[Webkit-unassigned] [Bug 83333] New: DocumentThreadableLoader doesn't remove credentials from preflight requests.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Apr 5 17:04:52 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=83333
Summary: DocumentThreadableLoader doesn't remove credentials
from preflight requests.
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: Platform
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: bbudge at gmail.com
CC: ap at webkit.org, fishd at chromium.org, levin at chromium.org
This came up on StackOverflow:
http://stackoverflow.com/questions/9830436/why-does-chrome-send-user-credentials-with-preflighed-cors-request
It looks like the logic in DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight is conforming to an earlier version of the standard, and potentially allowing cookies in the preflight request:
void DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight(const ResourceRequest& request)
{
ResourceRequest preflightRequest = createAccessControlPreflightRequest(request, securityOrigin(), m_options.allowCredentials);
loadRequest(preflightRequest, DoSecurityCheck);
}
The 'createAccessControlPreflightRequest' method shouldn't have that last parameter.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list