[Webkit-unassigned] [Bug 116075] New: Fix problems with cross-origin redirects
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon May 13 16:36:10 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=116075
Summary: Fix problems with cross-origin redirects
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Page Loading
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: rniwa at webkit.org
CC: ap at webkit.org, ddkilzer at webkit.org, beidson at apple.com
We might want to merge
https://chromium.googlesource.com/chromium/blink/+/7ea774e478f84f355748108d2aaabca15355d512
Three problems exist in the current code:
1) If a same-origin request causes a redirect to a different origin,
do not enforce access control checks for the redirect response
itself, because the request which resulted in the redirect was
same-origin.
2) If a same-origin request causes a redirect to a different origin,
use the original request's URL as the origin for the new request;
do not use a unique security origin.
3) Track whether the client (i.e., XMLHttpRequest) actually requested
that credentials be sent in the first place. When a same-origin
request redirects to a different origin, the original request will
send cookies whether requested or not, because it is same-origin.
The new cross-origin request should not send cookies unless they
were requested, so that the access control checks on the response
will succeed if the server granted "Access-Control-Allow-Origin=*".
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list