Open Bug 1554538 Opened 4 years ago Updated 2 months ago

Consider stripping credentials from URLs for cross-origin loads instead of failing the CORS load

Categories

(Core :: DOM: Networking, defect, P3)

defect

Tracking

()

People

(Reporter: ehsan.akhgari, Unassigned)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [necko-triaged])

We currently fail https://searchfox.org/mozilla-central/source/testing/web-platform/tests/xhr/access-control-preflight-credential-async.htm and https://searchfox.org/mozilla-central/source/testing/web-platform/tests/xhr/access-control-preflight-credential-sync.htm because we raise an error event. This happens because we bail out here: https://searchfox.org/mozilla-central/rev/aba472751e24763d0c18bae8408e9d7106e9acea/netwerk/protocol/http/nsCORSListenerProxy.cpp#951.

This test was originally added in https://bugs.webkit.org/show_bug.cgi?id=37781. Comment 2 of that bug suggests that WebKit has historically done this for cross-origin loads (not sure if that means CORS loads or not...). We should probably consider adopting the same behaviour.

Anne, is this specified in fetch?

Flags: needinfo?(annevk)

Yeah, step 5.17.2.3 of https://fetch.spec.whatwg.org/#http-network-or-cache-fetch would not have the authentication-fetch flag set. (That only gets set after a 401 that the browser handles, which isn't allowed during CORS.)

Flags: needinfo?(annevk)
Priority: -- → P2
Whiteboard: [necko-triaged]
Blocks: xhr
Priority: P2 → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.