Change default credentials mode for module scripts from omit to same-origin
Reported by
ppyt...@gmail.com,
Jun 3 2018
|
||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36 Steps to reproduce the problem: 1. Protect access to the site so only logged-in users can access it (using IIS with WebForms authentication, but that shouldn't matter) 2. <script src="localmodule.js" type="module"></script> 3. Observe a 302 response for the localmodule.js because authentication cookies are not sent with that request so the server has no way to authenticate the user and redirects to a login page. What is the expected behavior? I don't see why type=module .js files are handled differently from all the other .js requests (where cookies are sent correctly - we're talking SAME ORIGIN). I'd expect the cookies are sent just like for any other request. What went wrong? Can't get modules working on a site with authentication. Don't want to be forced to create authentication exceptions for every module file used just to have them served bypassing authentication. Did this work before? N/A Does this work in other browsers? No FireFox behaves the same way, no cookies sent to the server for javascript type=module - Edge and IE don't seem to even support type=module, haven't tried any other browser yet. Chrome version: 66.0.3359.181 Channel: n/a OS Version: 10.0 Flash Version:
,
Jun 3 2018
,
Jun 4 2018
,
Jun 4 2018
Thanks for filing the issue! @Reporter: Could you please share a sample test file/URL for ease of reproducing this.
,
Jun 4 2018
Thanks for filing! This is working as currently specced: Spec: https://html.spec.whatwg.org/multipage/urls-and-fetching.html#module-script-credentials-mode but the spec is changed: https://github.com/whatwg/html/pull/3656 After the spec change, the credentials mode is same-origin, i.e. sending cookies if same-origin.
,
Jun 4 2018
,
Jun 4 2018
+domenic@ Do we need an intent or something?
,
Jun 5 2018
hiroshige@ FWIW I am happy to take this if you haven't started it/are OK with that, up to you.
,
Jun 5 2018
,
Sep 11
We should probably do an intent. I am happy to help review and edit one. I think this bit a developer in the wild today. Any chance we could up the priority? The spec change is also blocked on tests landing, and we concluded the best way to do that was alongside an implementation change.
,
Sep 12
I'll go ahead and get started on this, and if I need guidance I'll reach out to kouhei@ or hiroshige@. Will share a Google Doc w/ an intent too.
,
Sep 12
,
Sep 12
ACK. Thanks for taking over!
,
Sep 16
,
Sep 22
Intent: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/CUAxbvtnCh4 CL coming shortly
,
Sep 26
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fe47153fac6ff8f6ea7300cfd3e40369d0733dd6 commit fe47153fac6ff8f6ea7300cfd3e40369d0733dd6 Author: Dominic Farolino <domfarolino@gmail.com> Date: Wed Sep 26 14:25:17 2018 Module scripts use same-origin credentials mode by default Before this CL, module scripts via <script type=module> used "omit" as the default credentials mode. After this CL, "same-origin" is used. This extends to module script descendants as well. Intent to implement and ship: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/CUAxbvtnCh4. R=kinuko@chromium.org, kouhei@chromium.org, nhiroki@chromium.org Bug: 849101 Change-Id: I62617aafd3e226bc86459ec4a24138d9eac6e8ff Reviewed-on: https://chromium-review.googlesource.com/1239638 Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org> Commit-Queue: Dominic Farolino <domfarolino@gmail.com> Cr-Commit-Position: refs/heads/master@{#594305} [modify] https://crrev.com/fe47153fac6ff8f6ea7300cfd3e40369d0733dd6/third_party/WebKit/LayoutTests/external/wpt/html/semantics/scripting-1/the-script-element/module/credentials.sub.html [modify] https://crrev.com/fe47153fac6ff8f6ea7300cfd3e40369d0733dd6/third_party/WebKit/LayoutTests/external/wpt/html/semantics/scripting-1/the-script-element/module/resources/credentials-iframe.sub.html [modify] https://crrev.com/fe47153fac6ff8f6ea7300cfd3e40369d0733dd6/third_party/blink/renderer/bindings/core/v8/script_streamer_test.cc [modify] https://crrev.com/fe47153fac6ff8f6ea7300cfd3e40369d0733dd6/third_party/blink/renderer/core/html/parser/html_preload_scanner_test.cc [modify] https://crrev.com/fe47153fac6ff8f6ea7300cfd3e40369d0733dd6/third_party/blink/renderer/core/loader/link_loader_test.cc [modify] https://crrev.com/fe47153fac6ff8f6ea7300cfd3e40369d0733dd6/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc [modify] https://crrev.com/fe47153fac6ff8f6ea7300cfd3e40369d0733dd6/third_party/blink/renderer/core/script/classic_pending_script.cc [modify] https://crrev.com/fe47153fac6ff8f6ea7300cfd3e40369d0733dd6/third_party/blink/renderer/core/script/classic_pending_script.h [modify] https://crrev.com/fe47153fac6ff8f6ea7300cfd3e40369d0733dd6/third_party/blink/renderer/core/script/document_write_intervention.cc [modify] https://crrev.com/fe47153fac6ff8f6ea7300cfd3e40369d0733dd6/third_party/blink/renderer/core/script/document_write_intervention.h [modify] https://crrev.com/fe47153fac6ff8f6ea7300cfd3e40369d0733dd6/third_party/blink/renderer/core/script/script_loader.cc [modify] https://crrev.com/fe47153fac6ff8f6ea7300cfd3e40369d0733dd6/third_party/blink/renderer/core/script/script_loader.h [modify] https://crrev.com/fe47153fac6ff8f6ea7300cfd3e40369d0733dd6/third_party/blink/renderer/platform/loader/fetch/script_fetch_options.cc [modify] https://crrev.com/fe47153fac6ff8f6ea7300cfd3e40369d0733dd6/third_party/blink/renderer/platform/loader/fetch/script_fetch_options.h
,
Sep 26
,
Nov 2
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ddb23f27ff0cdcc155f9eb535ad03ab0cd04b3f4 commit ddb23f27ff0cdcc155f9eb535ad03ab0cd04b3f4 Author: Dominic Farolino <domfarolino@gmail.com> Date: Fri Nov 02 07:34:53 2018 Change default classic script fetch options credentials mode This CL changes the default classic script fetch options credentials mode from "omit" to "same-origin", as per the recent spec change [1], and adds descendant worker credentials tests as a follow-up to said spec change and [2]. [1]: https://github.com/whatwg/html/pull/3656 [2]: https://github.com/web-platform-tests/wpt/issues/13426 R=domenic@chromium.org, kouhei@chromium.org, nhiroki@chromium.org Bug: 849101 Change-Id: I958f552f0ee91beb8aab98269f79a1eb219fb40a Reviewed-on: https://chromium-review.googlesource.com/c/1301964 Commit-Queue: Dominic Farolino <domfarolino@gmail.com> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org> Cr-Commit-Position: refs/heads/master@{#604862} [modify] https://crrev.com/ddb23f27ff0cdcc155f9eb535ad03ab0cd04b3f4/third_party/WebKit/LayoutTests/external/wpt/workers/modules/dedicated-worker-options-credentials.html [modify] https://crrev.com/ddb23f27ff0cdcc155f9eb535ad03ab0cd04b3f4/third_party/WebKit/LayoutTests/external/wpt/workers/modules/dedicated-worker-options-credentials.html.headers [modify] https://crrev.com/ddb23f27ff0cdcc155f9eb535ad03ab0cd04b3f4/third_party/WebKit/LayoutTests/external/wpt/workers/modules/resources/credentials.py [add] https://crrev.com/ddb23f27ff0cdcc155f9eb535ad03ab0cd04b3f4/third_party/WebKit/LayoutTests/external/wpt/workers/modules/resources/dynamic-import-remote-origin-credentials-checker-worker.sub.js [add] https://crrev.com/ddb23f27ff0cdcc155f9eb535ad03ab0cd04b3f4/third_party/WebKit/LayoutTests/external/wpt/workers/modules/resources/dynamic-import-same-origin-credentials-checker-worker.js [add] https://crrev.com/ddb23f27ff0cdcc155f9eb535ad03ab0cd04b3f4/third_party/WebKit/LayoutTests/external/wpt/workers/modules/resources/static-import-remote-origin-credentials-checker-worker.sub.js [add] https://crrev.com/ddb23f27ff0cdcc155f9eb535ad03ab0cd04b3f4/third_party/WebKit/LayoutTests/external/wpt/workers/modules/resources/static-import-same-origin-credentials-checker-worker.js [modify] https://crrev.com/ddb23f27ff0cdcc155f9eb535ad03ab0cd04b3f4/third_party/blink/renderer/bindings/core/v8/referrer_script_info.h |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by ppyt...@gmail.com
, Jun 3 2018