Bug 189888

Summary: Change default credentials mode for module scripts from omit to same-origin
Product: WebKit Reporter: Dominic Farolino <domfarolino>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: achristensen, annevk, cdumez, d, fpizlo, webkit-bug-importer, youennf, ysuzuki
Priority: P2 Keywords: InRadar
Version: Safari 11   
Hardware: Unspecified   
OS: Unspecified   

Description Dominic Farolino 2018-09-22 12:21:57 PDT 
The HTML Standard is changing such that module scripts (<script type=module>), and their descendants are fetched with "same-origin" credentials mode [1]. This means credentials must be included on same-origin module scripts requests by default. See point (1) in the following HTML PR: https://github.com/whatwg/html/pull/3656#issuecomment-421589162. Some of the other points in that PR are pending spec finalization, and a separate issue should be filed for them.

[1]: https://fetch.spec.whatwg.org/#concept-request-credentials-mode
Comment 1 Radar WebKit Bug Importer 2018-09-26 13:25:21 PDT 
<rdar://problem/44805666>
Comment 2 Domenic Denicola 2018-10-09 13:45:14 PDT 
Spec change has now landed. See also #171550.

Web platform tests were changed in https://github.com/web-platform-tests/wpt/pull/13176 , with some additional related tests for module workers in https://github.com/web-platform-tests/wpt/pull/11274 and some additional test coverage ideas for dynamic import in https://github.com/web-platform-tests/wpt/issues/13426
Comment 3 Anne van Kesteren 2024-03-17 08:07:24 PDT 

*** This bug has been marked as a duplicate of bug 210326 ***