[Webkit-unassigned] [Bug 146650] New: Origin not sent on anonymous async JS requests

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jul 6 12:00:02 PDT 2015 

https://bugs.webkit.org/show_bug.cgi?id=146650

            Bug ID: 146650
           Summary: Origin not sent on anonymous async JS requests
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Mac OS X 10.10
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ptoomey3 at biasedcoin.com

We had some CORS logic that relied on looking at the `Origin` header for setting the appropriate `Access-Control-Allow-Origin` response. The page that relied on this looked something like:

```
<html>
...
<script crossorigin="anonymous" src="..."></script>
<script async="async" crossorigin="anonymous" src="..."></script>
<script async="async" crossorigin="anonymous" src="..."></script>
...
</html>
```

We noticed that only the first JS request included the `Origin` header. The two async requests did not include it. Even more strangely, it seems like the non-async resource acts like some sort of toggle that prevents `Origin` from being added for all future JS resource requests. For example:

```
# The below will send `Origin` for the first request and not for the second and third
<script some-non-async...>
<script async="async"...>
<script async="async"...>

# The below will send `Origin` for the first and second request and not the third
<script async="async"...>
<script some-non-async...>
<script async="async"...>

# The below will send `Origin` for all the requests
<script async="async"...>
<script async="async"...>
<script some-non-async...>
```

This behavior is reproducible on the latest Safari as well as the latest WebKit nightly.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150706/93ed1fe1/attachment.html>

More information about the webkit-unassigned mailing list