LibWeb/Fetch: Don't add cookies when creating ResourceLoader request

Using LoadRequest::create_for_url_on_page will unconditionally add
cookies as long as there's a page available. However, it is up to
http_network_or_cache_fetch to determine if cookies should be added to
the request.

This was noticed when implementing CORS-preflight requests, where we
sent cookies in OPTIONS requests.

1 files changed, 6 insertions, 1 deletions

diff --git a/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp b/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp
index 33561de997..bba71ef085 100644
--- a/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp
+++ b/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp
@@ -1583,7 +1583,12 @@ WebIDL::ExceptionOr<JS::NonnullGCPtr<PendingResponse>> nonstandard_resource_load
     if (is<HTML::Window>(global_object))
         page = static_cast<HTML::Window&>(global_object).page();
 
-    auto load_request = LoadRequest::create_for_url_on_page(request->current_url(), page);
+    // NOTE: Using LoadRequest::create_for_url_on_page here will unconditionally add cookies as long as there's a page available.
+    //       However, it is up to http_network_or_cache_fetch to determine if cookies should be added to the request.
+    LoadRequest load_request;
+    load_request.set_url(request->current_url());
+    if (page)
+        load_request.set_page(*page);
     load_request.set_method(DeprecatedString::copy(request->method()));
     for (auto const& header : *request->header_list())
         load_request.set_header(DeprecatedString::copy(header.name), DeprecatedString::copy(header.value));