From bf2895365bd79db393bfdaa266b2e5dab094fa06 Mon Sep 17 00:00:00 2001 From: Luke Wilde Date: Wed, 8 Feb 2023 23:29:16 +0000 Subject: [PATCH] LibWeb/Fetch: Don't add cookies when creating ResourceLoader request Using LoadRequest::create_for_url_on_page will unconditionally add cookies as long as there's a page available. However, it is up to http_network_or_cache_fetch to determine if cookies should be added to the request. This was noticed when implementing CORS-preflight requests, where we sent cookies in OPTIONS requests. --- Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp b/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp index 33561de997..bba71ef085 100644 --- a/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp +++ b/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp @@ -1583,7 +1583,12 @@ WebIDL::ExceptionOr> nonstandard_resource_load if (is(global_object)) page = static_cast(global_object).page(); - auto load_request = LoadRequest::create_for_url_on_page(request->current_url(), page); + // NOTE: Using LoadRequest::create_for_url_on_page here will unconditionally add cookies as long as there's a page available. + // However, it is up to http_network_or_cache_fetch to determine if cookies should be added to the request. + LoadRequest load_request; + load_request.set_url(request->current_url()); + if (page) + load_request.set_page(*page); load_request.set_method(DeprecatedString::copy(request->method())); for (auto const& header : *request->header_list()) load_request.set_header(DeprecatedString::copy(header.name), DeprecatedString::copy(header.value));