Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 81e651381222fbbd41bde3e211b1ea6edbfc37d8
https://github.com/WebKit/WebKit/commit/81e651381222fbbd41bde3e211b1ea6edbfc37d8
Author: Youenn Fablet <[email protected]>
Date: 2026-03-18 (Wed, 18 Mar 2026)
Changed paths:
M Source/WebCore/loader/cache/CachedResourceLoader.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/Navigation.mm
Log Message:
-----------
Safari allows CSRF by resetting the Sec-Fetch-Site header on refresh
rdar://158416842
Reviewed by Chris Dumez.
In case of form resubmition, we were recomputing Sec-Fetch-Site and friends
from the destination origin, which was wrong.
Instead, given we already computed the Sec headers, we reuse them when
resubmitting a form.
Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/Navigation.mm
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::shouldReuseExistingFetchMetadata):
(WebCore::shouldUpdateFetchMetadata):
(WebCore::CachedResourceLoader::updateHTTPRequestHeaders):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/Navigation.mm:
(TEST(Navigation, FormResubmited)):
Originally-landed-as: 301765.328@safari-7623-branch (00c47cad6649).
rdar://171560549
Canonical link: https://commits.webkit.org/309498@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
