Summary: | Same-origin type="module" scripts only send cookies with crossorigin="use-credential" set | ||
---|---|---|---|
Product: | WebKit | Reporter: | webkitbugzilla |
Component: | Platform | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED DUPLICATE | ||
Severity: | Normal | CC: | achristensen, beidson, webkit-bug-importer, youennf, ysuzuki |
Priority: | P2 | Keywords: | InRadar |
Version: | Safari 13 | ||
Hardware: | All | ||
OS: | macOS 10.15 |
Description
webkitbugzilla
2020-01-26 15:50:54 PST
I've created a minimal example of this here. https://positive-shallot.glitch.me (Edit link here: https://glitch.com/edit/#!/positive-shallot) You can see that the same-origin "client.js" script tag with type="module" sends no request cookies, but does send them when the script requests the same file with a fetch(). Somewhat confusingly it requires the "crossorigin" tag to have the request send the same origin cookie (as shown with the "client-use-credentials.js" script). Thanks for your report. WebKit was implemented based on old spec description (using "omit" by default), and the spec is now changed. This is fixed in bug 210326. *** This bug has been marked as a duplicate of bug 210326 *** |