Closed Bug 1248994 Opened 5 years ago Closed 5 years ago

service workers map no-cors <script> requests to same-origin credentials

Categories

(Core :: DOM: Service Workers, defect)

45 Branch
defect
Not set
normal

Tracking

()

RESOLVED INVALID
Tracking Status
firefox44 --- wontfix
firefox45 --- affected
firefox46 --- affected
firefox47 --- affected

People

(Reporter: bkelly, Assigned: bkelly)

References

(Blocks 1 open bug)

Details

A developer at the theguardian.com reports that they are losing cookies on some of their cross-origin <script> elements.  (They are using JSONP here.)  It appears that we are incorrectly mapping the evt.request.credentials to 'same-origin' instead of 'include'.

From code inspection it appears this is happening due to this code:

  https://dxr.mozilla.org/mozilla-central/source/dom/fetch/InternalRequest.cpp#352

Note we handle SEC_COOKIES_INCLUDE, SEC_COOKIES_OMIT, and SEC_COOKIES_SAME_ORIGIN here.

The nsScriptLoader, however, leaves the flag as SEC_COOKIES_DEFAULT for no-cors script loading:

  https://dxr.mozilla.org/mozilla-central/source/dom/base/nsScriptLoader.cpp#293

I expected we should hit the MOZ_ASSERT_UNREACHABLE() assertion in InternalRequest.cpp on theguardian.com right now.
Further testing shows my analysis in comment 0 is wrong.  We don't hit the MOZ_ASSERT_UNREACHABLE.  That's because nsILoadInfo::GetCookiePolicy() automatically converts SEC_COOKIES_DEFAULT for us.
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.