New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 903032 link

Starred by 1 user
Status: Untriaged
Owner: ----
Cc:
krajshree@chromium.org
yhirano@chromium.org
toyoshim@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

cookie of link element to link to a manifest

Reported by yoshiaki...@connecty.co.jp, Nov 8 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36

Example URL:

Steps to reproduce the problem:
1. Go to the site that returns cookies.
2. Use the link element to access the page containing the manifest.

What is the expected behavior?

What went wrong?
For example.
The link element in index.html.
<link href="manifest" href="/manifest.json">

When checking the network of the developer tool, the cookie header does not exist in the request header.
Is this correct?

Did this work before? N/A 

Chrome version: 70.0.3538.77  Channel: stable
OS Version: OS X 10.13.6
Flash Version:

Comment 1 by vamshi.kommuri@chromium.org, Nov 8

Labels: Needs-Triage-M70

Comment 2 by yoshiaki...@connecty.co.jp, Nov 8 

I'm sorry. I mistook the link element. The correct element is as follows. 
<link rel="manifest" href="/manifest.json">

Comment 3 by krajshree@chromium.org, Nov 8

Cc: krajshree@chromium.org
Labels: Triaged-ET Needs-Feedback
reporter@ - Thanks for filing the issue...!!

Could you please provide a sample test extension file/url to test the issue from TE-end. This will help us in triaging the issue further.

Thanks...!!

Comment 4 by yoshiaki...@connecty.co.jp, Nov 8 

I will attach a sample file.
1. After deployment, place it on the web server.
2. Access cookie.html and click the "Add Cookie" link.
3. Display the Network tab of Developer Tools and reload the page.
4. Click manifest.json and check the request header.
sample.tar.gz
846 bytes Download
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 8

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by mmenke@chromium.org, Nov 8

Components: -Internals>Network Blink>Loader Blink>SecurityFeature
The manifest is definitely requested with the no cookies flags:  DO_NOT_SAVE_COOKIES | DO_NOT_SEND_AUTH_DATA | DO_NOT_SEND_COOKIES

I defer to the relevant blink folks over whether this is expected.

Comment 7 by toyoshim@chromium.org, Nov 9

Cc: toyoshim@chromium.org yhirano@chromium.org
https://cs.chromium.org/chromium/src/content/renderer/fetchers/manifest_fetcher.cc
Our code intentionally does it, but it's unclear if this is correct in terms of the spec.

Existing code does:
 1. if crossOrigin attribute's value is 'use-credentials', then set request's credentials to 'include'.
 2. otherwise, set it to 'omit' (and set fetch request mode to 'cors' too)

1. is what spec requires in the 7.1 step 7; https://w3c.github.io/manifest/#obtaining

But, it's still unclear to me on 2. Probably, making 'no-cors' request is desirable if crossOrigin is not set?

cc: yhirano@

Comment 8 by toyoshim@chromium.org, Nov 9

Status: Untriaged (was: Unconfirmed)

Comment 9 by yoshiaki...@connecty.co.jp, Nov 12 

Thank you for your answer.

If crossOrigin is not set, I'm worried about "no-cors" or "omit".
I think that there is no problem with "omit".

Comment 10 by kinuko@chromium.org, Nov 27

Components: -Blink>Loader Blink>AppManifest
The cors behavior should be clarified by the spec & feature owners.

Comment 11 by jochen@chromium.org, Dec 6

Components: -Blink>SecurityFeature

Sign in to add a comment