From 4533794c3214fc9bef6835d7f76d8bfd4b8e4b1b Mon Sep 17 00:00:00 2001
From: Kemal Zebari <kemalzebra@gmail.com>
Date: Fri, 25 Aug 2023 16:32:45 -0700
Subject: [PATCH] LibWeb/Fetch: Use origins in `Cross-Origin-Embedder-Policy`
 algorithm

---
 .../LibWeb/Fetch/Infrastructure/HTTP/Requests.cpp      | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/Userland/Libraries/LibWeb/Fetch/Infrastructure/HTTP/Requests.cpp b/Userland/Libraries/LibWeb/Fetch/Infrastructure/HTTP/Requests.cpp
index 5ca95219ee..7d1194f514 100644
--- a/Userland/Libraries/LibWeb/Fetch/Infrastructure/HTTP/Requests.cpp
+++ b/Userland/Libraries/LibWeb/Fetch/Infrastructure/HTTP/Requests.cpp
@@ -364,12 +364,12 @@ bool Request::cross_origin_embedder_policy_allows_credentials() const
     // FIXME: 3. If request’s client’s policy container’s embedder policy’s value is not "credentialless", then return true.
 
     // 4. If request’s origin is same origin with request’s current URL’s origin and request does not have a redirect-tainted origin, then return true.
-    // FIXME: Actually use the given origins once we have https://url.spec.whatwg.org/#concept-url-origin.
-    if (HTML::Origin().is_same_origin(HTML::Origin()) && !has_redirect_tainted_origin())
-        return true;
-
     // 5. Return false.
-    return false;
+    auto const* request_origin = m_origin.get_pointer<HTML::Origin>();
+    if (request_origin == nullptr)
+        return false;
+
+    return request_origin->is_same_origin(URL::url_origin(current_url())) && !has_redirect_tainted_origin();
 }
 
 }