206811 – Same-origin type="module" scripts only send cookies with crossorigin="use-credential" set

RESOLVED DUPLICATE of bug 210326 Bug 206811

Same-origin type="module" scripts only send cookies with crossorigin="use-credential" set

https://bugs.webkit.org/show_bug.cgi?id=206811

Summary Same-origin type="module" scripts only send cookies with crossorigin="use-cre...

webkitbugzilla

Reported 2020-01-26 15:50:54 PST

Safari seems to diverge from the other browsers (Chrome, Chromium Edge and Firefox) in how it treats the sending of cookies with requests with same-origin type="module" script tags, and it seems to exist even if "cross site tracking" is deactivated. At first I thought it was CORS related, but because the script is being served from the same-origin I believe CORS wouldn't be required. The only way I was able to accomplish actually sending cookies on such a request was with passing `crossorigin="use-credentials"`. This does seem similar in nature to these outstanding bugs: https://bugs.webkit.org/show_bug.cgi?id=171566 https://bugs.webkit.org/show_bug.cgi?id=171550 What's even stranger is that it _does_ seem to be fine with fetch(). I can successfully send a fetch() request for the same file in the console of the page (which should throw an error if the cookies were not included in the request).

Attachments
Add attachment proposed patch, testcase, etc.

webkitbugzilla

Comment 1 2020-01-26 16:16:11 PST

I've created a minimal example of this here. https://positive-shallot.glitch.me (Edit link here: https://glitch.com/edit/#!/positive-shallot) You can see that the same-origin "client.js" script tag with type="module" sends no request cookies, but does send them when the script requests the same file with a fetch(). Somewhat confusingly it requires the "crossorigin" tag to have the request send the same origin cookie (as shown with the "client-use-credentials.js" script).

Radar WebKit Bug Importer

Comment 2 2020-01-27 22:50:03 PST

<rdar://problem/58946768>

Yusuke Suzuki

Comment 3 2020-04-14 10:03:48 PDT

Thanks for your report. WebKit was implemented based on old spec description (using "omit" by default), and the spec is now changed. This is fixed in bug 210326. *** This bug has been marked as a duplicate of bug 210326 ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 210326

Priority P2

Severity Normal

Classification Unclassified

Version Safari 13

Hardware All

OS macOS 10.15

Product WebKit

Component Platform

Assignee

Nobody

Reported

2020-01-26 15:50 PST

Modified

2020-04-14 10:03 PDT History

CC List

5 users Show

URL

Keywords InRadar

Depends on

Blocks