Changes on SOP and CORS on Firefox
I'm a cybersecurity professional and I'm researching about Same Origin Policy, Cross Origin Resource Sharing and how firefox deal with those things. I've find out that versions before 102.1.0esr, cross-origin script GET requests used to attach cookies (Image 1), but in newer versions, it's not happening (Image 2). I checked the release notes but didn't find nothing about this change.
I would like to learn more about what changed and how Firefox is dealing with cookies, SOP and CORS.
Thanks!
Semua Balasan (2)
It may be due to bug 1802086.
whatwg/fetch#1544 changes the Fetch Standard to remove a web-developer-set Authorization header upon a cross-origin redirect.
According to https://wpt.fyi/results/fetch/api/credentials/authentication-redirection.any.html, all the web browsers already conforms with this spec change.
You can use mozregression to find when the change occurred.