[Webkit-unassigned] [Bug 258863] New: In iOS 17 beta version, the "Origin" field is missing in the request when using "Link modulepreload".

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jul 4 19:41:29 PDT 2023


https://bugs.webkit.org/show_bug.cgi?id=258863

            Bug ID: 258863
           Summary: In iOS 17 beta version, the "Origin" field is missing
                    in the request when using "Link modulepreload".
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: iPhone / iPad
                OS: Other
            Status: NEW
          Severity: Blocker
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: 904936148 at qq.com

Created attachment 466928

  --> https://bugs.webkit.org/attachment.cgi?id=466928&action=review

This is the error printed out by JavaScript.

In iOS 17 beta version, when using link tag + modulePreload in JavaScript, and Native enables HTTPS interceptor, if there is a cross-domain request, the "Origin" field is missing in the request header of urlSchemeTask.request in the interceptor callback, which causes the resource loading to fail.

I found the following code in the newly merged code on the master branch:
auto linkRequest = [&]() {
    if (params.relAttribute.isLinkModulePreload) {
        options.mode = FetchOptions::Mode::Cors;
        options.credentials = equalLettersIgnoringASCIICase(params.crossOrigin, "use-credentials"_s) ? FetchOptions::Credentials::Include : FetchOptions::Credentials::SameOrigin;
        CachedResourceRequest cachedRequest { ResourceRequest { url }, WTFMove(options) };
        cachedRequest.setOrigin(document.securityOrigin());
        return cachedRequest;
    }
    return createPotentialAccessControlRequest(url, WTFMove(options), document, params.crossOrigin);
}();

The code logic executed under the isLinkModulePreload condition is different from that in createPotentialAccessControlRequest. In createPotentialAccessControlRequest, the setting of options.mode = FetchOptions::Mode::Cors and cachedRequest.resourceRequest().request.setHTTPOrigin are paired, but in the new code, the setting of options.mode = FetchOptions::Mode::Cors and cachedRequest.setOrigin are set at the same time, but cachedRequest.resourceRequest().request.setHTTPOrigin is not set. I don't know if this is the cause of the problem that occurred.

Link:https://github.com/WebKit/WebKit/pull/10505/commits/2581333cdb03631d467c1538d6b7f7f0f8e1b1c8#diff-8e32b2aefbbce8573dd734958027b29d33b30c7e079da9dc9b51dc49330009a0


The issue of missing the "Origin" field in the request header of the interceptor has only been found in the iOS 17 beta version. For the same link and native environment, the "Origin" field is carried in the request of the interceptor in iOS 16.4/16.5/16.6 beta versions, and there is no problem.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230705/ed9adc60/attachment-0001.htm>


More information about the webkit-unassigned mailing list