Make fetch() use "same-origin" credentials by default

RESOLVED FIXED in Firefox 61

Status

()

P2
normal
RESOLVED FIXED
a year ago
3 months ago

People

(Reporter: annevk, Assigned: bkelly)

Tracking

(Blocks: 1 bug, {dev-doc-complete})

unspecified
mozilla61
dev-doc-complete
Points:
---

Firefox Tracking Flags

(firefox61 fixed)

Details

Attachments

(3 attachments)

(Reporter)

Description

a year ago
See https://github.com/whatwg/fetch/pull/585 for rationale and proposed Fetch Standard change.

Please try to coordinate changing your implementation with others. It's unlikely to be disruptive, but still seems better if it all happens roughly at the same time.
(Assignee)

Updated

a year ago
Blocks: 1226983
Priority: -- → P3

Updated

7 months ago
Priority: P3 → P2
(Assignee)

Comment 1

5 months ago
There are some WPT test fixes upstream and chrome is mostly ready to implement.  I think we should do this soonish.  Since its likely small I'm assigning to myself.
Assignee: nobody → bkelly
Status: NEW → ASSIGNED
(Assignee)

Comment 2

5 months ago
Created attachment 8969649 [details] [diff] [review]
P1 Default Request.credentials to "same-origin" instead of "omit". r=baku
(Assignee)

Updated

5 months ago
See Also: → bug 1444002
(Assignee)

Comment 3

5 months ago
Created attachment 8969666 [details] [diff] [review]
P2 Fix mochitests to expect "same-origin" default Request.credentials. r=baku
(Assignee)

Comment 4

5 months ago
Created attachment 8969667 [details] [diff] [review]
P3 Fix web-platform-tests to expect "same-origin" default Request.credentials. r=baku
(Assignee)

Updated

5 months ago
Duplicate of this bug: 1444002
(Assignee)

Comment 7

5 months ago
Comment on attachment 8969649 [details] [diff] [review]
P1 Default Request.credentials to "same-origin" instead of "omit". r=baku

Andrea, this patch changes default Request.credentials value from "omit" to "same-origin".  This was discussed and changed in this spec issue:

https://github.com/whatwg/fetch/pull/585
Attachment #8969649 - Flags: review?(amarchesini)
(Assignee)

Comment 8

5 months ago
Comment on attachment 8969666 [details] [diff] [review]
P2 Fix mochitests to expect "same-origin" default Request.credentials. r=baku

This updates mochitests to expect the new default.
Attachment #8969666 - Flags: review?(amarchesini)
(Assignee)

Comment 9

5 months ago
Comment on attachment 8969667 [details] [diff] [review]
P3 Fix web-platform-tests to expect "same-origin" default Request.credentials. r=baku

This updates WPT to expect the new default.  Note, this has actually already landed upstream:

https://github.com/w3c/web-platform-tests/commit/55d647f4f561e653a95684b17496f13d12a90512

I'm just doing it as a patch here to avoid having to wrestle with the WPT sync bot.
Attachment #8969667 - Flags: review?(amarchesini)
(Assignee)

Comment 10

5 months ago
MDN should be updated to reflect that the default Request.credentials value has changed from "omit" to "same-origin".

For determining if this has shipped in other browsers you can look at these issues:

https://bugs.webkit.org/show_bug.cgi?id=176023
https://bugs.chromium.org/p/chromium/issues/detail?id=759543
https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/13474598/
Keywords: dev-doc-needed
Attachment #8969666 - Flags: review?(amarchesini) → review+
Attachment #8969667 - Flags: review?(amarchesini) → review+
Attachment #8969649 - Flags: review?(amarchesini) → review+

Comment 11

5 months ago
Pushed by bkelly@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/2d657d8dadf9
P1 Default Request.credentials to "same-origin" instead of "omit". r=baku
https://hg.mozilla.org/integration/mozilla-inbound/rev/3c02e9df8b2d
P2 Fix mochitests to expect "same-origin" default Request.credentials. r=baku
https://hg.mozilla.org/integration/mozilla-inbound/rev/2feb276e4fcc
P3 Fix web-platform-tests to expect "same-origin" default Request.credentials. r=baku

Comment 12

5 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/2d657d8dadf9
https://hg.mozilla.org/mozilla-central/rev/3c02e9df8b2d
https://hg.mozilla.org/mozilla-central/rev/2feb276e4fcc
Status: ASSIGNED → RESOLVED
Last Resolved: 5 months ago
status-firefox61: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Documents updated to change the default for credentials to "same-origin":

https://developer.mozilla.org/en-US/docs/Web/API/Request
https://developer.mozilla.org/en-US/docs/Web/API/Request/credentials

Submitted PR #2157 to add the note about this change in Firefox 61 to the browser compatibility database.

Updated Firefox 61 for developers to mention the change.
Keywords: dev-doc-needed → dev-doc-complete
You need to log in before you can comment on or make changes to this bug.