[Webkit-unassigned] [Bug 155761] New: Origin header is not included in CORS requests for cross-origin resources

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Mar 22 11:46:38 PDT 2016 

https://bugs.webkit.org/show_bug.cgi?id=155761

            Bug ID: 155761
           Summary: Origin header is not included in CORS requests for
                    cross-origin resources
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: me at joshdover.com
                CC: beidson at apple.com

According to the CORS specification [1], all CORS requests must include the 'Origin' header. Many server and CDN implementations will not respond with any of the appropriate CORS headers if the Origin is not specified. When a resource is referenced by a `<link>` tag, WebKit does not include the Origin in the request. While WebKit does still accept the resource as valid, it is marked as 'tainted' which prevents JavaScript on the page from accessing the CSSRuleList object on the CSSStyleSheet (it will be `null` for tainted stylesheets).

I confirmed this is the case via `tcpdump` with Safari 9.0.3 (11601.4.4) and got the same results in WebKit nightly r198522. Example tag used:

```
<link href="//mycdn.com/style.css" rel="stylesheet" type="text/css" media="all" crossorigin="use-credentials">
```

Recorded Safari request, note the missing Origin header:
```
13:39:48.413187 IP 10.0.1.136.50969 > 69.172.201.208.http: Flags [P.], seq 2207105597:2207105953, ack 4251157642, win 65535, length 356: HTTP: GET /style.css HTTP/1.1
$...7.8...y...E..... at .@...
...E......P...=.c..P.......GET /style.css HTTP/1.1
Host: mycdn.com
Accept-Encoding: gzip, deflate
Connection: keep-alive
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/601.4.4 (KHTML, like Gecko) Version/9.0.3 Safari/601.4.4
Accept-Language: en-us
Referer: http://my.dev:5000/designer/181021729
Cache-Control: max-age=0
```

Recorded Chrome request, note the Origin header:
```
13:38:33.594253 IP 10.0.1.136.50856 > 69.172.201.208.http: Flags [P.], seq 4043612470:4043612873, ack 2525948378, win 65535, length 403: HTTP: GET /style.css HTTP/1.1
$...7.8...y...E..... at .@...
...E......P...6....P.......GET /style.css HTTP/1.1
Host: mycdn.com
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/css,*/*;q=0.1
Origin: http://my.dev:5000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36
Referer: http://my.dev:5000/designer/181021729
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
```

I've confirmed that Firefox + Chrome (example above) both handle this correctly. Safari also behaves the same if the `crossorigin` attribute set to 'use-credentials' or 'anonymous'.

This could be a security threat since some developers may naively opt to send `Access-Control-Allow-Origin: *` as a workaround for this Safari-specific issue. Additionally, this poses an issue for anyone using a CDN that has limited CORS configuration options. For instance, AWS S3 will not send CORS headers if there is no Origin header, regardless of configuration.


[1] http://www.w3.org/TR/cors/#origin-request-header

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160322/2d896e18/attachment-0001.html>

More information about the webkit-unassigned mailing list