--- Comment #6 from ---
I've set up a demonstration which shows that cross-domain requests are
forbidden from using withCredentials=true when Access-Control-Allow-Origin is
set to "*".

This page sets a cookie for the subdomain, then uses it to
fetch a token from the same subdomain, which succeeds (the cookie is sent even
without withCredentials=true, as it's a request to the same subdomain):

This page, on a different subdomain, is able to make an unauthenticated request
to the other subdomain (as the response has an "Access-Control-Allow-Origin: *"
header), but is forbidden from making a request with credentials:

The (very simple) code is here:

If there's a flaw in the security logic, it would be very useful to know about;
on the other hand, I hope this will be persuasive enough to re-open this

Note that for the white-listed domains, the response can still include a
specific origin and so allow credentials to be sent; the
"Access-Control-Allow-Origin: *" response would just be for non-whitelisted

You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list

Reply via email to