service workers map no-cors <script> requests to same-origin credentials

RESOLVED INVALID

Status

()

defect
RESOLVED INVALID
3 years ago
3 years ago

People

(Reporter: bkelly, Assigned: bkelly)

Tracking

(Blocks 1 bug)

45 Branch
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox44 wontfix, firefox45 affected, firefox46 affected, firefox47 affected)

Details

A developer at the theguardian.com reports that they are losing cookies on some of their cross-origin <script> elements.  (They are using JSONP here.)  It appears that we are incorrectly mapping the evt.request.credentials to 'same-origin' instead of 'include'.

From code inspection it appears this is happening due to this code:

  https://dxr.mozilla.org/mozilla-central/source/dom/fetch/InternalRequest.cpp#352

Note we handle SEC_COOKIES_INCLUDE, SEC_COOKIES_OMIT, and SEC_COOKIES_SAME_ORIGIN here.

The nsScriptLoader, however, leaves the flag as SEC_COOKIES_DEFAULT for no-cors script loading:

  https://dxr.mozilla.org/mozilla-central/source/dom/base/nsScriptLoader.cpp#293

I expected we should hit the MOZ_ASSERT_UNREACHABLE() assertion in InternalRequest.cpp on theguardian.com right now.
Further testing shows my analysis in comment 0 is wrong.  We don't hit the MOZ_ASSERT_UNREACHABLE.  That's because nsILoadInfo::GetCookiePolicy() automatically converts SEC_COOKIES_DEFAULT for us.
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.