[Webkit-unassigned] [Bug 171566] New: crossorigin="anonymous" resource loads are anonymous even for same-origin

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=171566

            Bug ID: 171566
           Summary: crossorigin="anonymous" resource loads are anonymous
                    even for same-origin
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ptoomey3 at biasedcoin.com

A group of colleagues of mine noticed that a session cookie was not being sent with a script request that looked something like this:


<script src="./anonymous.js" crossorigin="anonymous"></script>


It looks as though Safari treats any resource request with the crossorigin="anonymous" attribute as anonymous. But, this is only meant to apply for cross-origin requests. I setup a temporary PoC test page (the contents can be seen below) that can be viewed on Heroku (https://infinite-bayou-16019.herokuapp.com). The two endpoints reflect back a JS response based on whether a cookie is sent along with the JS fetch. Chrome and Firefox send cookies for both fetches, while Safari only sends it on the non-anonymous fetch. 


  <html>
    <head>
      <script src="./non_anonymous.js"></script>
      <script src="./anonymous.js" crossorigin="anonymous"></script>
    </head>
    <body>
      <h1>Echo some cookies!</h1>
    </body>
  </html>

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170502/4a898ed7/attachment-0001.html>