Bug 206811
| Summary: | Same-origin type="module" scripts only send cookies with crossorigin="use-credential" set | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | webkitbugzilla |
| Component: | Platform | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | achristensen, beidson, webkit-bug-importer, youennf, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Safari 13 | ||
| Hardware: | All | ||
| OS: | macOS 10.15 | ||
webkitbugzilla
Safari seems to diverge from the other browsers (Chrome, Chromium Edge and Firefox) in how it treats the sending of cookies with requests with same-origin type="module" script tags, and it seems to exist even if "cross site tracking" is deactivated. At first I thought it was CORS related, but because the script is being served from the same-origin I believe CORS wouldn't be required. The only way I was able to accomplish actually sending cookies on such a request was with passing `crossorigin="use-credentials"`.
This does seem similar in nature to these outstanding bugs:
https://bugs.webkit.org/show_bug.cgi?id=171566
https://bugs.webkit.org/show_bug.cgi?id=171550
What's even stranger is that it _does_ seem to be fine with fetch(). I can successfully send a fetch() request for the same file in the console of the page (which should throw an error if the cookies were not included in the request).
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
webkitbugzilla
I've created a minimal example of this here.
https://positive-shallot.glitch.me
(Edit link here: https://glitch.com/edit/#!/positive-shallot)
You can see that the same-origin "client.js" script tag with type="module" sends no request cookies, but does send them when the script requests the same file with a fetch(). Somewhat confusingly it requires the "crossorigin" tag to have the request send the same origin cookie (as shown with the "client-use-credentials.js" script).
Radar WebKit Bug Importer
<rdar://problem/58946768>
Yusuke Suzuki
Thanks for your report. WebKit was implemented based on old spec description (using "omit" by default), and the spec is now changed. This is fixed in bug 210326.
*** This bug has been marked as a duplicate of bug 210326 ***