Changeset 293503 in webkit

Timestamp:

Apr 27, 2022 3:36:07 AM (3 months ago)

Author:

youenn@apple.com

Message:

<link rel=preconnect> always sends credentials to different-origin, ignoring crossorigin=anonymous
​https://bugs.webkit.org/show_bug.cgi?id=239119
<rdar://problem/91643534>

Reviewed by John Wilander.

Update the check as per spec, step 5 of
​https://html.spec.whatwg.org/multipage/links.html#link-type-preconnect

This is difficult to test as preconnect can only expose TLS credentials.

• loader/LinkLoader.cpp:

(WebCore::LinkLoader::preconnectIfNeeded):

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• loader/LinkLoader.cpp (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2022-04-27  Youenn Fablet  <youenn@apple.com>
+
+        <link rel=preconnect> always sends credentials to different-origin, ignoring crossorigin=anonymous
+        https://bugs.webkit.org/show_bug.cgi?id=239119
+        <rdar://problem/91643534>
+
+        Reviewed by John Wilander.
+
+        Update the check as per spec, step 5 of
+        https://html.spec.whatwg.org/multipage/links.html#link-type-preconnect
+
+        This is difficult to test as preconnect can only expose TLS credentials.
+
+        * loader/LinkLoader.cpp:
+        (WebCore::LinkLoader::preconnectIfNeeded):
+
 2022-04-27  Youenn Fablet  <youenn@apple.com>
 

trunk/Source/WebCore/loader/LinkLoader.cpp

@@ -215 +215 @@
     ASSERT(document.settings().linkPreconnectEnabled());
     StoredCredentialsPolicy storageCredentialsPolicy = StoredCredentialsPolicy::Use;
-    if (equalLettersIgnoringASCIICase(params.crossOrigin, "anonymous"_s) && document.securityOrigin().isSameOriginDomain(SecurityOrigin::create(href)))
+    if (equalLettersIgnoringASCIICase(params.crossOrigin, "anonymous"_s) && !document.securityOrigin().isSameOriginDomain(SecurityOrigin::create(href)))
         storageCredentialsPolicy = StoredCredentialsPolicy::DoNotUse;
     ASSERT(document.frame()->loader().networkingContext());