Bug 206811

Summary: Same-origin type="module" scripts only send cookies with crossorigin="use-credential" set
Product: WebKit Reporter: webkitbugzilla
Component: PlatformAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: achristensen, beidson, webkit-bug-importer, youennf, ysuzuki
Priority: P2 Keywords: InRadar
Version: Safari 13   
Hardware: All   
OS: macOS 10.15   

Description webkitbugzilla 2020-01-26 15:50:54 PST 
Safari seems to diverge from the other browsers (Chrome, Chromium Edge and Firefox) in how it treats the sending of cookies with requests with same-origin type="module" script tags, and it seems to exist even if "cross site tracking" is deactivated. At first I thought it was CORS related, but because the script is being served from the same-origin I believe CORS wouldn't be required. The only way I was able to accomplish actually sending cookies on such a request was with passing `crossorigin="use-credentials"`.

This does seem similar in nature to these outstanding bugs:
https://bugs.webkit.org/show_bug.cgi?id=171566
https://bugs.webkit.org/show_bug.cgi?id=171550

What's even stranger is that it _does_ seem to be fine with fetch(). I can successfully send a fetch() request for the same file in the console of the page (which should throw an error if the cookies were not included in the request).
Comment 1 webkitbugzilla 2020-01-26 16:16:11 PST 
I've created a minimal example of this here.

https://positive-shallot.glitch.me

(Edit link here: https://glitch.com/edit/#!/positive-shallot)

You can see that the same-origin "client.js" script tag with type="module" sends no request cookies, but does send them when the script requests the same file with a fetch(). Somewhat confusingly it requires the "crossorigin" tag to have the request send the same origin cookie (as shown with the "client-use-credentials.js" script).
Comment 2 Radar WebKit Bug Importer 2020-01-27 22:50:03 PST 
<rdar://problem/58946768>
Comment 3 Yusuke Suzuki 2020-04-14 10:03:48 PDT 
Thanks for your report. WebKit was implemented based on old spec description (using "omit" by default), and the spec is now changed. This is fixed in bug 210326.

*** This bug has been marked as a duplicate of bug 210326 ***