<html>
    <head>
      <base href="https://bugs.webkit.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Origin not sent on anonymous async JS requests"
   href="https://bugs.webkit.org/show_bug.cgi?id=146650">146650</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Origin not sent on anonymous async JS requests
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>WebKit
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>528+ (Nightly build)
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Unspecified
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Mac OS X 10.10
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>Normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P2
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>New Bugs
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>webkit-unassigned&#64;lists.webkit.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>ptoomey3&#64;biasedcoin.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>We had some CORS logic that relied on looking at the `Origin` header for setting the appropriate `Access-Control-Allow-Origin` response. The page that relied on this looked something like:

```
&lt;html&gt;
...
&lt;script crossorigin=&quot;anonymous&quot; src=&quot;...&quot;&gt;&lt;/script&gt;
&lt;script async=&quot;async&quot; crossorigin=&quot;anonymous&quot; src=&quot;...&quot;&gt;&lt;/script&gt;
&lt;script async=&quot;async&quot; crossorigin=&quot;anonymous&quot; src=&quot;...&quot;&gt;&lt;/script&gt;
...
&lt;/html&gt;
```

We noticed that only the first JS request included the `Origin` header. The two async requests did not include it. Even more strangely, it seems like the non-async resource acts like some sort of toggle that prevents `Origin` from being added for all future JS resource requests. For example:

```
# The below will send `Origin` for the first request and not for the second and third
&lt;script some-non-async...&gt;
&lt;script async=&quot;async&quot;...&gt;
&lt;script async=&quot;async&quot;...&gt;

# The below will send `Origin` for the first and second request and not the third
&lt;script async=&quot;async&quot;...&gt;
&lt;script some-non-async...&gt;
&lt;script async=&quot;async&quot;...&gt;

# The below will send `Origin` for all the requests
&lt;script async=&quot;async&quot;...&gt;
&lt;script async=&quot;async&quot;...&gt;
&lt;script some-non-async...&gt;
```

This behavior is reproducible on the latest Safari as well as the latest WebKit nightly.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>