Bug 239119

Summary: <link rel=preconnect> always sends credentials to different-origin, ignoring crossorigin=anonymous
Product: WebKit Reporter: Noam Rosenthal <noam>
Component: Page LoadingAssignee: youenn fablet <youennf>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, beidson, cdumez, ews-watchlist, japhet, webkit-bug-importer, wilander, yoav, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch for landing none

Description Noam Rosenthal 2022-04-12 02:35:15 PDT
Given <link rel=preconnect href="https://some-other-origin" crossorigin=anonymous>
I believe from reading the code that the "anonymous" bit would be ignored:

Looking at Source/WebCore/loader/LinkLoader.cpp, line 217:

    if (equalIgnoringASCIICase(params.crossOrigin, "anonymous") && document.securityOrigin().isSameOriginDomain(SecurityOrigin::create(href)))
        storageCredentialsPolicy = StoredCredentialsPolicy::DoNotUse;

If I understand this line correctly, it would mean something like:

useCredentials = link.crossorigin != 'anonymous' || !same_origin(link.href, document.origin)

So any preconnect to a different-origin href would send credentials :(

https://github.com/WebKit/WebKit/blob/8a5b17627ecd1a551b59978434f64378b4943bc7/Source/WebCore/loader/LinkLoader.cpp#L217

(It's a bit difficult to WPT this or show how this is ...)
Comment 1 Radar WebKit Bug Importer 2022-04-12 12:48:46 PDT
<rdar://problem/91643534>
Comment 2 youenn fablet 2022-04-26 05:02:33 PDT
Created attachment 458352 [details]
Patch
Comment 3 John Wilander 2022-04-26 08:13:30 PDT
Comment on attachment 458352 [details]
Patch

r=me
Comment 4 EWS 2022-04-26 23:49:35 PDT
Tools/Scripts/svn-apply failed to apply attachment 458352 [details] to trunk.
Please resolve the conflicts and upload a new patch.
Comment 5 youenn fablet 2022-04-27 00:46:30 PDT
Created attachment 458427 [details]
Patch for landing
Comment 6 EWS 2022-04-27 03:37:17 PDT
Committed r293503 (250034@main): <https://commits.webkit.org/250034@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 458427 [details].