Changeset 293503 in webkit for trunk/Source/WebCore/loader/LinkLoader.cpp

Timestamp:

Apr 27, 2022, 3:36:07 AM (3 years ago)

Author:

[email protected]

Message:

<link rel=preconnect> always sends credentials to different-origin, ignoring crossorigin=anonymous
​https://bugs.webkit.org/show_bug.cgi?id=239119
<rdar://problem/91643534>

Reviewed by John Wilander.

Update the check as per spec, step 5 of
​https://html.spec.whatwg.org/multipage/links.html#link-type-preconnect

This is difficult to test as preconnect can only expose TLS credentials.

• loader/LinkLoader.cpp:

(WebCore::LinkLoader::preconnectIfNeeded):

File:

• trunk/Source/WebCore/loader/LinkLoader.cpp (modified) (1 diff)

trunk/Source/WebCore/loader/LinkLoader.cpp

@@ -215 +215 @@
     ASSERT(document.settings().linkPreconnectEnabled());
     StoredCredentialsPolicy storageCredentialsPolicy = StoredCredentialsPolicy::Use;
-    if (equalLettersIgnoringASCIICase(params.crossOrigin, "anonymous"_s) && document.securityOrigin().isSameOriginDomain(SecurityOrigin::create(href)))
+    if (equalLettersIgnoringASCIICase(params.crossOrigin, "anonymous"_s) && !document.securityOrigin().isSameOriginDomain(SecurityOrigin::create(href)))
         storageCredentialsPolicy = StoredCredentialsPolicy::DoNotUse;
     ASSERT(document.frame()->loader().networkingContext());