[Webkit-unassigned] [Bug 276364] New: XMLHttpRequest without credentials fails with CORS error on redirections

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jul 9 05:19:12 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=276364

            Bug ID: 276364
           Summary: XMLHttpRequest without credentials fails with CORS
                    error on redirections
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: pgorszkowski at igalia.com

The problem was reported for WPE: https://github.com/WebPlatformForEmbedded/WPEWebKit/issues/1361 but it can be reproduced also for GTK or safari(iphone). The steps to reproduce:
1. make a XMLHTTPRequest without credentials to same origin (same_origin_redirect)
    const xhr = new XMLHttpRequest();
    xhr.open("GET", "http://same_origin/same_origin_redirect.php", true);
    xhr.send(null); 
2. same_origin_redirect.php redirects to different origin:
<?php
header("Access-Control-Allow-Origin: *");
header("HTTP/1.1 301 Moved Permanently");
header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate");
header("Location: http://different_origin/different_origin_redirect.php");
?>
3. different_origin_redirect.php redirects to same origin:
<?php
header("Access-Control-Allow-Origin: *");
header("HTTP/1.1 301 Moved Permanently");
header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate");
header("Location: http://same_origin/same_origin_target.php");
?>
4. same_origin_targe.php:
<?php
header("Access-Control-Allow-Origin: *");
?>
<html>
<head>
</head>
<body style="background-color:white">
  <p style="font-weight: 600;">Wildcard CORS</p><br />
  <p>Status: <strong id="status">SUCCESS</strong></p>
</body>
</html>


The last redirect fails because of:
[Error] Cross-origin redirection to http://same_origin/same_origin_target.php denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
[Error] Failed to load resource: Cross-origin redirection to http://same_origin/same_origin_target.php denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. (same_origin_redirect.php, line 0)
[Error] XMLHttpRequest cannot load http://different_origin/different_origin_redirect.php due to access control checks.

The problem can be also reproduced with LayoutTest with similar case (I will add the case in LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html in PR).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240709/f1613e68/attachment.htm>

More information about the webkit-unassigned mailing list