LibWeb/Fetch: Use origins in Cross-Origin-Embedder-Policy algorithm

Author: https://github.com/kemzeb Commit: 4533794c32 Pull-request: https://github.com/SerenityOS/serenity/pull/20777 Reviewed-by: https://github.com/trflynn89
2025-07-29 04:09:13 +00:00 · 2023-08-25 16:32:45 -07:00 · 2023-08-25 16:32:45 -07:00 · 4533794c32 · 2024-07-17 00:25:35 +09:00
commit 4533794c32
parent b33a71a35e
1 changed files with 5 additions and 5 deletions
--- a/Userland/Libraries/LibWeb/Fetch/Infrastructure/HTTP/Requests.cpp
+++ b/Userland/Libraries/LibWeb/Fetch/Infrastructure/HTTP/Requests.cpp
@ -364,12 +364,12 @@ bool Request::cross_origin_embedder_policy_allows_credentials() const
    // FIXME: 3. If request’s client’s policy container’s embedder policy’s value is not "credentialless", then return true.

    // 4. If request’s origin is same origin with request’s current URL’s origin and request does not have a redirect-tainted origin, then return true.
-    // FIXME: Actually use the given origins once we have https://url.spec.whatwg.org/#concept-url-origin.
-    if (HTML::Origin().is_same_origin(HTML::Origin()) && !has_redirect_tainted_origin())
-        return true;
-
    // 5. Return false.
-    return false;
+    auto const* request_origin = m_origin.get_pointer<HTML::Origin>();
+    if (request_origin == nullptr)
+        return false;
+
+    return request_origin->is_same_origin(URL::url_origin(current_url())) && !has_redirect_tainted_origin();
 }

 }