Closed Bug 1248994 Opened 5 years ago Closed 5 years ago
service workers map no-cors <script> requests to same-origin credentials
A developer at the theguardian.com reports that they are losing cookies on some of their cross-origin <script> elements. (They are using JSONP here.) It appears that we are incorrectly mapping the evt.request.credentials to 'same-origin' instead of 'include'. From code inspection it appears this is happening due to this code: https://dxr.mozilla.org/mozilla-central/source/dom/fetch/InternalRequest.cpp#352 Note we handle SEC_COOKIES_INCLUDE, SEC_COOKIES_OMIT, and SEC_COOKIES_SAME_ORIGIN here. The nsScriptLoader, however, leaves the flag as SEC_COOKIES_DEFAULT for no-cors script loading: https://dxr.mozilla.org/mozilla-central/source/dom/base/nsScriptLoader.cpp#293 I expected we should hit the MOZ_ASSERT_UNREACHABLE() assertion in InternalRequest.cpp on theguardian.com right now.
Further testing shows my analysis in comment 0 is wrong. We don't hit the MOZ_ASSERT_UNREACHABLE. That's because nsILoadInfo::GetCookiePolicy() automatically converts SEC_COOKIES_DEFAULT for us.
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.