A group of colleagues of mine noticed that a session cookie was not being sent with a script request that looked something like this: <script src="./anonymous.js" crossorigin="anonymous"></script> It looks as though Safari treats any resource request with the crossorigin="anonymous" attribute as anonymous. But, this is only meant to apply for cross-origin requests. I setup a temporary PoC test page (the contents can be seen below) that can be viewed on Heroku (https://infinite-bayou-16019.herokuapp.com). The two endpoints reflect back a JS response based on whether a cookie is sent along with the JS fetch. Chrome and Firefox send cookies for both fetches, while Safari only sends it on the non-anonymous fetch. <html> <head> <script src="./non_anonymous.js"></script> <script src="./anonymous.js" crossorigin="anonymous"></script> </head> <body> <h1>Echo some cookies!</h1> </body> </html>
Thanks for filing this bug. We should set credential mode to same-origin in that case, which I believe would do what you are suggesting. Will try to look at it further. Are you seeing that for other resource types?
Created attachment 309016 [details] Patch
<rdar://problem/39869363>
Three years later and it's still grinding my gears
@Christian Haller, I believe we have fixed this issue. Testing https://infinite-bayou-16019.herokuapp.com/, it seems to work. From code inspection, we are now correctly setting FetchOptions::Credentials::SameOrigin for anonymous loads. Would you be able to provide a jsfiddle with your issue? I'll close this bug for now. Please reopen it if you think this issue is not solved or create a new bug if this is actually a different issue.
Yes, this is fixed in https://trac.webkit.org/changeset/260038/webkit, and in STP 105 https://webkit.org/blog/10428/release-notes-for-safari-technology-preview-105/ *** This bug has been marked as a duplicate of bug 210326 ***
Nice, it works in Safari Technology Preview 106 👍🏻😍