Closed Bug 1248994 Opened 9 years ago Closed 9 years ago

service workers map no-cors <script> requests to same-origin credentials

Categories

(Core :: DOM: Service Workers, defect)

Product:
Core
Component:
DOM: Service Workers
Version:
45 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox44 --- wontfix
firefox45 --- affected
firefox46 --- affected
firefox47 --- affected

People

(Reporter: bkelly, Assigned: bkelly)

References

(Blocks 1 open bug)

Details

A developer at the theguardian.com reports that they are losing cookies on some of their cross-origin <script> elements. (They are using JSONP here.) It appears that we are incorrectly mapping the evt.request.credentials to 'same-origin' instead of 'include'. From code inspection it appears this is happening due to this code: https://dxr.mozilla.org/mozilla-central/source/dom/fetch/InternalRequest.cpp#352 Note we handle SEC_COOKIES_INCLUDE, SEC_COOKIES_OMIT, and SEC_COOKIES_SAME_ORIGIN here. The nsScriptLoader, however, leaves the flag as SEC_COOKIES_DEFAULT for no-cors script loading: https://dxr.mozilla.org/mozilla-central/source/dom/base/nsScriptLoader.cpp#293 I expected we should hit the MOZ_ASSERT_UNREACHABLE() assertion in InternalRequest.cpp on theguardian.com right now.
Further testing shows my analysis in comment 0 is wrong. We don't hit the MOZ_ASSERT_UNREACHABLE. That's because nsILoadInfo::GetCookiePolicy() automatically converts SEC_COOKIES_DEFAULT for us.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.