[Webkit-unassigned] [Bug 239119] New: <link rel=preconnect> always sends credentials to different-origin

Tue Apr 12 02:35:15 PDT 2022

https://bugs.webkit.org/show_bug.cgi?id=239119

            Bug ID: 239119
           Summary: <link rel=preconnect> always sends credentials to
                    different-origin
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: noam at webkit.org
                CC: beidson at apple.com

Given <link rel=preconnect href="https://some-other-origin" crossorigin=anonymous>
I believe from reading the code that the "anonymous" bit would be ignored:

Looking at Source/WebCore/loader/LinkLoader.cpp, line 217:

    if (equalIgnoringASCIICase(params.crossOrigin, "anonymous") && document.securityOrigin().isSameOriginDomain(SecurityOrigin::create(href)))
        storageCredentialsPolicy = StoredCredentialsPolicy::DoNotUse;

If I understand this line correctly, it would mean something like:

useCredentials = link.crossorigin != 'anonymous' || !same_origin(link.href, document.origin)

So any preconnect to a different-origin href would send credentials :(

https://github.com/WebKit/WebKit/blob/8a5b17627ecd1a551b59978434f64378b4943bc7/Source/WebCore/loader/LinkLoader.cpp#L217

(It's a bit difficult to WPT this or show how this is ...)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220412/8aecfb3c/attachment-0001.htm>