When performing a XMLHttpRequest without credentials and using a Access-Control-Allow-Origin: * header on a site that performs redirections, the request fails with CORS errors.
[Error] Cross-origin redirection to http://192.168.1.75:8000/origin1_target.php denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
[Error] Failed to load resource: Cross-origin redirection to http://192.168.1.75:8000/origin1_target.php denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. (origin2_redirect.php, line 0)
[Error] XMLHttpRequest cannot load http://192.168.1.75:8001/origin2_redirect.php due to access control checks.
The attached wildcard-cors.zip package contains test files that reproduce this issue. Please see the included readme.txt file for reproduction steps.
This was tested only on wpe-2.38. Same test passes on Chrome and Firefox.
Potential fix:
The patch below is a fix candidate (Thanks to Alkis Gkouzias for the investigation and proposal):
diff --git a/Source/WebCore/xml/XMLHttpRequest.cpp b/Source/WebCore/xml/XMLHttpRequest.cpp
index 283754477322..035239e8a879 100644
--- a/Source/WebCore/xml/XMLHttpRequest.cpp
+++ b/Source/WebCore/xml/XMLHttpRequest.cpp
@@ -642,7 +642,7 @@ ExceptionOr<void> XMLHttpRequest::createRequest()
// The presence of upload event listeners forces us to use preflighting because POSTing to an URL that does not
// permit cross origin requests should look exactly like POSTing to an URL that does not respond at all.
options.preflightPolicy = m_uploadListenerFlag ? PreflightPolicy::Force : PreflightPolicy::Consider;
- options.credentials = m_includeCredentials ? FetchOptions::Credentials::Include : FetchOptions::Credentials::SameOrigin;
+ options.credentials = m_includeCredentials ? FetchOptions::Credentials::Include : FetchOptions::Credentials::Omit;
options.mode = FetchOptions::Mode::Cors;
options.contentSecurityPolicyEnforcement = scriptExecutionContext()->shouldBypassMainWorldContentSecurityPolicy() ? ContentSecurityPolicyEnforcement::DoNotEnforce : ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective;
options.initiator = cachedResourceRequestInitiators().xmlhttprequest;
Rational
In Source/WebCore/loader/CrossOriginAccessControl.cpp it can be seen that the reason that the "Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true" error happens is that
is false. This means that while access control allow origin is set to *, storedCredentialsPolicy is not set to DoNotUse. This results from Source/WebCore/xml/XMLHttpRequest.cpp in method ExceptionOr XMLHttpRequest::createRequest()
This line will essentially set options.credentials to SameOrigin in case that they are not included. However such option will result into StoredCredentialsPolicy::Use in Source/WebCore/loader/DocumentThreadableLoader.cpp
When performing a XMLHttpRequest without credentials and using a
Access-Control-Allow-Origin: *
header on a site that performs redirections, the request fails with CORS errors.The attached wildcard-cors.zip package contains test files that reproduce this issue. Please see the included readme.txt file for reproduction steps.
This was tested only on wpe-2.38. Same test passes on Chrome and Firefox.
Potential fix: The patch below is a fix candidate (Thanks to Alkis Gkouzias for the investigation and proposal):
Rational In Source/WebCore/loader/CrossOriginAccessControl.cpp it can be seen that the reason that the "Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true" error happens is that
is false. This means that while access control allow origin is set to *, storedCredentialsPolicy is not set to DoNotUse. This results from Source/WebCore/xml/XMLHttpRequest.cpp in method ExceptionOr XMLHttpRequest::createRequest()
This line will essentially set options.credentials to SameOrigin in case that they are not included. However such option will result into StoredCredentialsPolicy::Use in Source/WebCore/loader/DocumentThreadableLoader.cpp