Bug 189888 - Change default credentials mode for module scripts from omit to same-origin
Summary: Change default credentials mode for module scripts from omit to same-origin
Status: RESOLVED DUPLICATE of bug 210326
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: Safari 11
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-09-22 12:21 PDT by Dominic Farolino
Modified: 2024-03-17 08:07 PDT (History)
8 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dominic Farolino 2018-09-22 12:21:57 PDT
The HTML Standard is changing such that module scripts (<script type=module>), and their descendants are fetched with "same-origin" credentials mode [1]. This means credentials must be included on same-origin module scripts requests by default. See point (1) in the following HTML PR: https://github.com/whatwg/html/pull/3656#issuecomment-421589162. Some of the other points in that PR are pending spec finalization, and a separate issue should be filed for them.

[1]: https://fetch.spec.whatwg.org/#concept-request-credentials-mode
Comment 1 Radar WebKit Bug Importer 2018-09-26 13:25:21 PDT
<rdar://problem/44805666>
Comment 2 Domenic Denicola 2018-10-09 13:45:14 PDT
Spec change has now landed. See also #171550.

Web platform tests were changed in https://github.com/web-platform-tests/wpt/pull/13176 , with some additional related tests for module workers in https://github.com/web-platform-tests/wpt/pull/11274 and some additional test coverage ideas for dynamic import in https://github.com/web-platform-tests/wpt/issues/13426
Comment 3 Anne van Kesteren 2024-03-17 08:07:24 PDT

*** This bug has been marked as a duplicate of bug 210326 ***