<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Origin header is not included in CORS requests for cross-origin resources"
href="https://bugs.webkit.org/show_bug.cgi?id=155761">155761</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Origin header is not included in CORS requests for cross-origin resources
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Nightly Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>Page Loading
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>me@joshdover.com
</td>
</tr>
<tr>
<th>CC</th>
<td>beidson@apple.com
</td>
</tr></table>
<p>
<div>
<pre>According to the CORS specification [1], all CORS requests must include the 'Origin' header. Many server and CDN implementations will not respond with any of the appropriate CORS headers if the Origin is not specified. When a resource is referenced by a `<link>` tag, WebKit does not include the Origin in the request. While WebKit does still accept the resource as valid, it is marked as 'tainted' which prevents JavaScript on the page from accessing the CSSRuleList object on the CSSStyleSheet (it will be `null` for tainted stylesheets).
I confirmed this is the case via `tcpdump` with Safari 9.0.3 (11601.4.4) and got the same results in WebKit nightly r198522. Example tag used:
```
<link href="//mycdn.com/style.css" rel="stylesheet" type="text/css" media="all" crossorigin="use-credentials">
```
Recorded Safari request, note the missing Origin header:
```
13:39:48.413187 IP 10.0.1.136.50969 > 69.172.201.208.http: Flags [P.], seq 2207105597:2207105953, ack 4251157642, win 65535, length 356: HTTP: GET /style.css HTTP/1.1
$...7.8...y...E.....@.@...
...E......P...=.c..P.......GET /style.css HTTP/1.1
Host: mycdn.com
Accept-Encoding: gzip, deflate
Connection: keep-alive
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/601.4.4 (KHTML, like Gecko) Version/9.0.3 Safari/601.4.4
Accept-Language: en-us
Referer: <a href="http://my.dev:5000/designer/181021729">http://my.dev:5000/designer/181021729</a>
Cache-Control: max-age=0
```
Recorded Chrome request, note the Origin header:
```
13:38:33.594253 IP 10.0.1.136.50856 > 69.172.201.208.http: Flags [P.], seq 4043612470:4043612873, ack 2525948378, win 65535, length 403: HTTP: GET /style.css HTTP/1.1
$...7.8...y...E.....@.@...
...E......P...6....P.......GET /style.css HTTP/1.1
Host: mycdn.com
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/css,*/*;q=0.1
Origin: <a href="http://my.dev:5000">http://my.dev:5000</a>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36
Referer: <a href="http://my.dev:5000/designer/181021729">http://my.dev:5000/designer/181021729</a>
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
```
I've confirmed that Firefox + Chrome (example above) both handle this correctly. Safari also behaves the same if the `crossorigin` attribute set to 'use-credentials' or 'anonymous'.
This could be a security threat since some developers may naively opt to send `Access-Control-Allow-Origin: *` as a workaround for this Safari-specific issue. Additionally, this poses an issue for anyone using a CDN that has limited CORS configuration options. For instance, AWS S3 will not send CORS headers if there is no Origin header, regardless of configuration.
[1] <a href="http://www.w3.org/TR/cors/#origin-request-header">http://www.w3.org/TR/cors/#origin-request-header</a></pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>