Closed Bug 1394399 Opened 7 years ago Closed 7 years ago

Make fetch() use "same-origin" credentials by default

Categories

(Core :: DOM: Core & HTML, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox61 --- fixed

People

(Reporter: annevk, Assigned: bkelly)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-complete)

Attachments

(3 files)

See https://github.com/whatwg/fetch/pull/585 for rationale and proposed Fetch Standard change. Please try to coordinate changing your implementation with others. It's unlikely to be disruptive, but still seems better if it all happens roughly at the same time.
Priority: -- → P3
Priority: P3 → P2
There are some WPT test fixes upstream and chrome is mostly ready to implement. I think we should do this soonish. Since its likely small I'm assigning to myself.
Assignee: nobody → bkelly
Status: NEW → ASSIGNED
See Also: → 1444002
Comment on attachment 8969649 [details] [diff] [review] P1 Default Request.credentials to "same-origin" instead of "omit". r=baku Andrea, this patch changes default Request.credentials value from "omit" to "same-origin". This was discussed and changed in this spec issue: https://github.com/whatwg/fetch/pull/585
Attachment #8969649 - Flags: review?(amarchesini)
Comment on attachment 8969666 [details] [diff] [review] P2 Fix mochitests to expect "same-origin" default Request.credentials. r=baku This updates mochitests to expect the new default.
Attachment #8969666 - Flags: review?(amarchesini)
Comment on attachment 8969667 [details] [diff] [review] P3 Fix web-platform-tests to expect "same-origin" default Request.credentials. r=baku This updates WPT to expect the new default. Note, this has actually already landed upstream: https://github.com/w3c/web-platform-tests/commit/55d647f4f561e653a95684b17496f13d12a90512 I'm just doing it as a patch here to avoid having to wrestle with the WPT sync bot.
Attachment #8969667 - Flags: review?(amarchesini)
MDN should be updated to reflect that the default Request.credentials value has changed from "omit" to "same-origin". For determining if this has shipped in other browsers you can look at these issues: https://bugs.webkit.org/show_bug.cgi?id=176023 https://bugs.chromium.org/p/chromium/issues/detail?id=759543 https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/13474598/
Keywords: dev-doc-needed
Attachment #8969666 - Flags: review?(amarchesini) → review+
Attachment #8969667 - Flags: review?(amarchesini) → review+
Attachment #8969649 - Flags: review?(amarchesini) → review+
Pushed by bkelly@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/2d657d8dadf9 P1 Default Request.credentials to "same-origin" instead of "omit". r=baku https://hg.mozilla.org/integration/mozilla-inbound/rev/3c02e9df8b2d P2 Fix mochitests to expect "same-origin" default Request.credentials. r=baku https://hg.mozilla.org/integration/mozilla-inbound/rev/2feb276e4fcc P3 Fix web-platform-tests to expect "same-origin" default Request.credentials. r=baku
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Documents updated to change the default for credentials to "same-origin": https://developer.mozilla.org/en-US/docs/Web/API/Request https://developer.mozilla.org/en-US/docs/Web/API/Request/credentials Submitted PR #2157 to add the note about this change in Firefox 61 to the browser compatibility database. Updated Firefox 61 for developers to mention the change.
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: