Closed
Bug 1493449
Opened 6 years ago
Closed 6 years ago
Change default credentials mode for module scripts from omit to same-origin
Categories
(Core :: DOM: Core & HTML, defect, P2)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla64
Tracking | Status | |
---|---|---|
firefox64 | --- | fixed |
People
(Reporter: domfarolino, Assigned: bzbarsky)
References
Details
Attachments
(1 file)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36 Steps to reproduce: The HTML Standard is changing such that module scripts (<script type=module>), and their descendants are fetched with "same-origin" credentials mode [1]. This means credentials must be included on same-origin module scripts requests by default. See point (1) in the following HTML PR: https://github.com/whatwg/html/pull/3656#issuecomment-421589162. Some of the other points in that PR are pending spec finalization, and a separate issue should be filed for them. [1]: https://fetch.spec.whatwg.org/#concept-request-credentials-mode
Comment 1•6 years ago
|
||
For reference, we made a similar change for fetch() in bug 1394399.
Updated•6 years ago
|
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM
Ever confirmed: true
Product: Firefox → Core
Assignee | ||
Comment 2•6 years ago
|
||
So just to be clear, that means that for module scripts crossorigin="anonymous" and not having a "crossorigin" attribute set at all have identical credentials behavior, right? Am I correct, based on https://github.com/whatwg/html/pull/3656#issuecomment-421589162 and the Firefox result on <http://w3c-test.org/html/semantics/scripting-1/the-script-element/module/credentials.sub.html>, that there are no updated web platform tests here yet?
Reporter | ||
Comment 3•6 years ago
|
||
That is correct. I've started on the WPTs for this alongside the chromium impl, you can see what tests I've edited here: https://crrev.com/c/1239638.
Comment 4•6 years ago
|
||
Note that it's also in line with what we typically do for CORS requests. The "unusual" (but good) thing here is that module scripts don't have a "no-cors" mode.
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → bzbarsky
Updated•6 years ago
|
Priority: -- → P2
Assignee | ||
Comment 5•6 years ago
|
||
The tests come directly from https://github.com/web-platform-tests/wpt/pull/13176 and https://github.com/web-platform-tests/wpt/pull/13245
Comment 6•6 years ago
|
||
Comment on attachment 9012661 [details] Bug 1493449. Change the default credentials mode for module scripts from 'omit' to 'same-origin'. r=farre Andreas Farre [:farre] has approved the revision.
Attachment #9012661 -
Flags: review+
Pushed by bzbarsky@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2de25096cdd5 Change the default credentials mode for module scripts from 'omit' to 'same-origin'. r=farre
Comment 8•6 years ago
|
||
Backed out changeset 2de25096cdd5 (bug 1493449) for mochitest failure Log: https://treeherder.mozilla.org/logviewer.html#?job_id=202956169&repo=autoland&lineNumber=2281 INFO - TEST-START | browser/components/payments/test/mochitest/test_address_picker.html [task 2018-10-02T20:26:02.891Z] 20:26:02 INFO - GECKO(2267) | [Parent 2267, Gecko_IOThread] WARNING: pipe error (76): Connection reset by peer: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 356 [task 2018-10-02T20:26:02.912Z] 20:26:02 INFO - GECKO(2267) | ###!!! [Parent][MessageChannel] Error: (msgtype=0x190084,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv [task 2018-10-02T20:26:02.973Z] 20:26:02 INFO - GECKO(2267) | A content process crashed and MOZ_CRASHREPORTER_SHUTDOWN is set, shutting down [task 2018-10-02T20:26:03.334Z] 20:26:03 INFO - GECKO(2267) | 1538511963325 Marionette DEBUG Received observer notification xpcom-will-shutdown [task 2018-10-02T20:26:03.342Z] 20:26:03 INFO - GECKO(2267) | 1538511963326 Marionette INFO Stopped listening on port 2828 [task 2018-10-02T20:26:03.343Z] 20:26:03 INFO - GECKO(2267) | 1538511963326 Marionette DEBUG Remote service is inactive [task 2018-10-02T20:26:03.668Z] 20:26:03 INFO - TEST-INFO | Main app process: exit 0 [task 2018-10-02T20:26:03.673Z] 20:26:03 INFO - runtests.py | Application ran for: 0:00:10.105599 [task 2018-10-02T20:26:03.673Z] 20:26:03 INFO - zombiecheck | Reading PID log: /tmp/tmpYw9qAwpidlog [task 2018-10-02T20:26:03.673Z] 20:26:03 INFO - ==> process 2267 launched child process 2290 [task 2018-10-02T20:26:03.673Z] 20:26:03 INFO - ==> process 2267 launched child process 2345 [task 2018-10-02T20:26:03.673Z] 20:26:03 INFO - ==> process 2267 launched child process 2360 [task 2018-10-02T20:26:03.673Z] 20:26:03 INFO - ==> process 2267 launched child process 2414 [task 2018-10-02T20:26:03.673Z] 20:26:03 INFO - ==> process 2267 launched child process 2448 [task 2018-10-02T20:26:03.673Z] 20:26:03 INFO - zombiecheck | Checking for orphan process with PID: 2360 [task 2018-10-02T20:26:03.674Z] 20:26:03 INFO - zombiecheck | Checking for orphan process with PID: 2345 [task 2018-10-02T20:26:03.674Z] 20:26:03 INFO - zombiecheck | Checking for orphan process with PID: 2290 [task 2018-10-02T20:26:03.674Z] 20:26:03 INFO - zombiecheck | Checking for orphan process with PID: 2448 [task 2018-10-02T20:26:03.674Z] 20:26:03 INFO - zombiecheck | Checking for orphan process with PID: 2414 [task 2018-10-02T20:26:03.675Z] 20:26:03 INFO - mozcrash Downloading symbols from: https://queue.taskcluster.net/v1/task/fskCj5AbSG-YY_TVEVvBBw/artifacts/public/build/target.crashreporter-symbols.zip [task 2018-10-02T20:26:11.083Z] 20:26:11 INFO - mozcrash Copy/paste: /usr/local/bin/linux64-minidump_stackwalk /tmp/tmpnKScAN.mozrunner/minidumps/0d2568b3-468b-f2c4-0ded-ca7af3246e59.dmp /tmp/tmpmi4a5S [task 2018-10-02T20:26:22.092Z] 20:26:22 INFO - mozcrash Saved minidump as /builds/worker/workspace/build/blobber_upload_dir/0d2568b3-468b-f2c4-0ded-ca7af3246e59.dmp [task 2018-10-02T20:26:22.092Z] 20:26:22 INFO - mozcrash Saved app info as /builds/worker/workspace/build/blobber_upload_dir/0d2568b3-468b-f2c4-0ded-ca7af3246e59.extra [task 2018-10-02T20:26:22.155Z] 20:26:22 INFO - PROCESS-CRASH | Main app process exited normally | application crashed [@ mozilla::dom::ScriptLoader::GetScriptSource(JSContext*, mozilla::dom::ScriptLoadRequest*)] [task 2018-10-02T20:26:22.157Z] 20:26:22 INFO - Crash dump filename: /tmp/tmpnKScAN.mozrunner/minidumps/0d2568b3-468b-f2c4-0ded-ca7af3246e59.dmp [task 2018-10-02T20:26:22.158Z] 20:26:22 INFO - Operating system: Linux [task 2018-10-02T20:26:22.160Z] 20:26:22 INFO - 0.0.0 Linux 4.4.0-1014-aws #14taskcluster1-Ubuntu SMP Tue Apr 3 10:27:00 UTC 2018 x86_64 [task 2018-10-02T20:26:22.161Z] 20:26:22 INFO - CPU: x86 [task 2018-10-02T20:26:22.163Z] 20:26:22 INFO - GenuineIntel family 6 model 62 stepping 4 [task 2018-10-02T20:26:22.164Z] 20:26:22 INFO - 2 CPUs [task 2018-10-02T20:26:22.166Z] 20:26:22 INFO - [task 2018-10-02T20:26:22.168Z] 20:26:22 INFO - GPU: UNKNOWN [task 2018-10-02T20:26:22.169Z] 20:26:22 INFO - [task 2018-10-02T20:26:22.171Z] 20:26:22 INFO - Crash reason: SIGSEGV [task 2018-10-02T20:26:22.172Z] 20:26:22 INFO - Crash address: 0x0 [task 2018-10-02T20:26:22.174Z] 20:26:22 INFO - Process uptime: not available [task 2018-10-02T20:26:22.175Z] 20:26:22 INFO - [task 2018-10-02T20:26:22.177Z] 20:26:22 INFO - Thread 0 (crashed) Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&searchStr=1&revision=2de25096cdd54c32488a4d5fdb1fefce6d1fb6db Backout: https://hg.mozilla.org/integration/autoland/rev/fa95314b2d87293cbc150662dc5eaadd73624cf0
Flags: needinfo?(bzbarsky)
Pushed by bzbarsky@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e2ec1eeb812d Change the default credentials mode for module scripts from 'omit' to 'same-origin'. r=farre
Comment 10•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/e2ec1eeb812d
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox64:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Assignee | ||
Updated•6 years ago
|
Flags: needinfo?(bzbarsky)
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•