-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XMLHttpRequest fails with CORS error on redirections #1361
Comments
It also fails with upstream GTK. |
I also raised a ticket in upstream about this issue: https://bugs.webkit.org/show_bug.cgi?id=276364 |
@filipe-norte-red : can you verify the fix from WebKit/WebKit#30638? I think we can use it in downstream before it will be merged in upstream. |
@pgorszkowski-igalia , I tried it and it works. I haven't done further smoke testing yet though to see if any regression was introduced |
@filipe-norte-red : can you do more smoke testing before we merge it? |
@pgorszkowski-igalia , I did some initial smoke testing with success, but we'll be running additional tests with additional devices to try to flush out any potential regressions. I'll keep you updated. |
@pgorszkowski-igalia , we tested multiple applications across a few devices to try to flush out any issues. No issues were observed with this fix. |
@filipe-norte-red : thanks for your feedback and tests. I will prepare a PR with this fix for wpe-2.38 for merge. |
When performing a XMLHttpRequest without credentials and using a
Access-Control-Allow-Origin: *
header on a site that performs redirections, the request fails with CORS errors.The attached wildcard-cors.zip package contains test files that reproduce this issue. Please see the included readme.txt file for reproduction steps.
This was tested only on wpe-2.38. Same test passes on Chrome and Firefox.
Potential fix:
The patch below is a fix candidate (Thanks to Alkis Gkouzias for the investigation and proposal):
Rational
In Source/WebCore/loader/CrossOriginAccessControl.cpp it can be seen that the reason that the "Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true" error happens is that
is false. This means that while access control allow origin is set to *, storedCredentialsPolicy is not set to DoNotUse. This results from Source/WebCore/xml/XMLHttpRequest.cpp in method ExceptionOr XMLHttpRequest::createRequest()
This line will essentially set options.credentials to SameOrigin in case that they are not included. However such option will result into StoredCredentialsPolicy::Use in Source/WebCore/loader/DocumentThreadableLoader.cpp
The text was updated successfully, but these errors were encountered: