239119 – <link rel=preconnect> always sends credentials to different-origin, ignoring crossorigin=anonymous

Bug 239119 - <link rel=preconnect> always sends credentials to different-origin, ignoring crossorigin=anonymous

Summary: <link rel=preconnect> always sends credentials to different-origin, ignoring ...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Page Loading (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	youenn fablet

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-04-12 02:35 PDT by Noam Rosenthal
Modified:	2022-04-27 03:37 PDT (History)
CC List:	9 users (show)

See Also:

Attachments
Patch (2.13 KB, patch) 2022-04-26 05:02 PDT, youenn fablet	no flags	Details \| Formatted Diff \| Diff
Patch for landing (2.13 KB, patch) 2022-04-27 00:46 PDT, youenn fablet	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Noam Rosenthal 2022-04-12 02:35:15 PDT

Given <link rel=preconnect href="https://some-other-origin" crossorigin=anonymous>
I believe from reading the code that the "anonymous" bit would be ignored:

Looking at Source/WebCore/loader/LinkLoader.cpp, line 217:

    if (equalIgnoringASCIICase(params.crossOrigin, "anonymous") && document.securityOrigin().isSameOriginDomain(SecurityOrigin::create(href)))
        storageCredentialsPolicy = StoredCredentialsPolicy::DoNotUse;

If I understand this line correctly, it would mean something like:

useCredentials = link.crossorigin != 'anonymous' || !same_origin(link.href, document.origin)

So any preconnect to a different-origin href would send credentials :(

https://github.com/WebKit/WebKit/blob/8a5b17627ecd1a551b59978434f64378b4943bc7/Source/WebCore/loader/LinkLoader.cpp#L217

(It's a bit difficult to WPT this or show how this is ...)

Comment 1 Radar WebKit Bug Importer 2022-04-12 12:48:46 PDT

<rdar://problem/91643534>

Comment 2 youenn fablet 2022-04-26 05:02:33 PDT

Created attachment 458352 [details]
Patch

Comment 3 John Wilander 2022-04-26 08:13:30 PDT

Comment on attachment 458352 [details]
Patch

r=me

Comment 4 EWS 2022-04-26 23:49:35 PDT

Tools/Scripts/svn-apply failed to apply attachment 458352 [details] to trunk.
Please resolve the conflicts and upload a new patch.

Comment 5 youenn fablet 2022-04-27 00:46:30 PDT

Created attachment 458427 [details]
Patch for landing

Comment 6 EWS 2022-04-27 03:37:17 PDT

Committed r293503 (250034@main): <https://commits.webkit.org/250034@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 458427 [details].