Closed Bug 1493449 Opened 2 years ago Closed 2 years ago

Change default credentials mode for module scripts from omit to same-origin

Categories

(Core :: DOM: Core & HTML, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla64
Tracking Status
firefox64 --- fixed

People

(Reporter: domfarolino, Assigned: bzbarsky)

References

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36

Steps to reproduce:

The HTML Standard is changing such that module scripts (<script type=module>), and their descendants are fetched with "same-origin" credentials mode [1]. This means credentials must be included on same-origin module scripts requests by default. See point (1) in the following HTML PR: https://github.com/whatwg/html/pull/3656#issuecomment-421589162. Some of the other points in that PR are pending spec finalization, and a separate issue should be filed for them.

[1]: https://fetch.spec.whatwg.org/#concept-request-credentials-mode
For reference, we made a similar change for fetch() in bug 1394399.
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM
Ever confirmed: true
Product: Firefox → Core
So just to be clear, that means that for module scripts crossorigin="anonymous" and not having a "crossorigin" attribute set at all have identical credentials behavior, right?

Am I correct, based on https://github.com/whatwg/html/pull/3656#issuecomment-421589162 and the Firefox result on <http://w3c-test.org/html/semantics/scripting-1/the-script-element/module/credentials.sub.html>, that there are no updated web platform tests here yet?
That is correct. I've started on the WPTs for this alongside the chromium impl, you can see what tests I've edited here: https://crrev.com/c/1239638.
Note that it's also in line with what we typically do for CORS requests. The "unusual" (but good) thing here is that module scripts don't have a "no-cors" mode.
Assignee: nobody → bzbarsky
Priority: -- → P2
Comment on attachment 9012661 [details]
Bug 1493449.  Change the default credentials mode for module scripts from 'omit' to 'same-origin'.  r=farre

Andreas Farre [:farre] has approved the revision.
Attachment #9012661 - Flags: review+
Pushed by bzbarsky@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2de25096cdd5
Change the default credentials mode for module scripts from 'omit' to 'same-origin'.  r=farre
Backed out changeset 2de25096cdd5 (bug 1493449) for mochitest failure

Log:
https://treeherder.mozilla.org/logviewer.html#?job_id=202956169&repo=autoland&lineNumber=2281

  INFO - TEST-START | browser/components/payments/test/mochitest/test_address_picker.html
[task 2018-10-02T20:26:02.891Z] 20:26:02     INFO - GECKO(2267) | [Parent 2267, Gecko_IOThread] WARNING: pipe error (76): Connection reset by peer: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 356
[task 2018-10-02T20:26:02.912Z] 20:26:02     INFO - GECKO(2267) | ###!!! [Parent][MessageChannel] Error: (msgtype=0x190084,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv
[task 2018-10-02T20:26:02.973Z] 20:26:02     INFO - GECKO(2267) | A content process crashed and MOZ_CRASHREPORTER_SHUTDOWN is set, shutting down
[task 2018-10-02T20:26:03.334Z] 20:26:03     INFO - GECKO(2267) | 1538511963325	Marionette	DEBUG	Received observer notification xpcom-will-shutdown
[task 2018-10-02T20:26:03.342Z] 20:26:03     INFO - GECKO(2267) | 1538511963326	Marionette	INFO	Stopped listening on port 2828
[task 2018-10-02T20:26:03.343Z] 20:26:03     INFO - GECKO(2267) | 1538511963326	Marionette	DEBUG	Remote service is inactive
[task 2018-10-02T20:26:03.668Z] 20:26:03     INFO - TEST-INFO | Main app process: exit 0
[task 2018-10-02T20:26:03.673Z] 20:26:03     INFO - runtests.py | Application ran for: 0:00:10.105599
[task 2018-10-02T20:26:03.673Z] 20:26:03     INFO - zombiecheck | Reading PID log: /tmp/tmpYw9qAwpidlog
[task 2018-10-02T20:26:03.673Z] 20:26:03     INFO - ==> process 2267 launched child process 2290
[task 2018-10-02T20:26:03.673Z] 20:26:03     INFO - ==> process 2267 launched child process 2345
[task 2018-10-02T20:26:03.673Z] 20:26:03     INFO - ==> process 2267 launched child process 2360
[task 2018-10-02T20:26:03.673Z] 20:26:03     INFO - ==> process 2267 launched child process 2414
[task 2018-10-02T20:26:03.673Z] 20:26:03     INFO - ==> process 2267 launched child process 2448
[task 2018-10-02T20:26:03.673Z] 20:26:03     INFO - zombiecheck | Checking for orphan process with PID: 2360
[task 2018-10-02T20:26:03.674Z] 20:26:03     INFO - zombiecheck | Checking for orphan process with PID: 2345
[task 2018-10-02T20:26:03.674Z] 20:26:03     INFO - zombiecheck | Checking for orphan process with PID: 2290
[task 2018-10-02T20:26:03.674Z] 20:26:03     INFO - zombiecheck | Checking for orphan process with PID: 2448
[task 2018-10-02T20:26:03.674Z] 20:26:03     INFO - zombiecheck | Checking for orphan process with PID: 2414
[task 2018-10-02T20:26:03.675Z] 20:26:03     INFO - mozcrash Downloading symbols from: https://queue.taskcluster.net/v1/task/fskCj5AbSG-YY_TVEVvBBw/artifacts/public/build/target.crashreporter-symbols.zip
[task 2018-10-02T20:26:11.083Z] 20:26:11     INFO - mozcrash Copy/paste: /usr/local/bin/linux64-minidump_stackwalk /tmp/tmpnKScAN.mozrunner/minidumps/0d2568b3-468b-f2c4-0ded-ca7af3246e59.dmp /tmp/tmpmi4a5S
[task 2018-10-02T20:26:22.092Z] 20:26:22     INFO - mozcrash Saved minidump as /builds/worker/workspace/build/blobber_upload_dir/0d2568b3-468b-f2c4-0ded-ca7af3246e59.dmp
[task 2018-10-02T20:26:22.092Z] 20:26:22     INFO - mozcrash Saved app info as /builds/worker/workspace/build/blobber_upload_dir/0d2568b3-468b-f2c4-0ded-ca7af3246e59.extra
[task 2018-10-02T20:26:22.155Z] 20:26:22     INFO - PROCESS-CRASH | Main app process exited normally | application crashed [@ mozilla::dom::ScriptLoader::GetScriptSource(JSContext*, mozilla::dom::ScriptLoadRequest*)]
[task 2018-10-02T20:26:22.157Z] 20:26:22     INFO - Crash dump filename: /tmp/tmpnKScAN.mozrunner/minidumps/0d2568b3-468b-f2c4-0ded-ca7af3246e59.dmp
[task 2018-10-02T20:26:22.158Z] 20:26:22     INFO - Operating system: Linux
[task 2018-10-02T20:26:22.160Z] 20:26:22     INFO -                   0.0.0 Linux 4.4.0-1014-aws #14taskcluster1-Ubuntu SMP Tue Apr 3 10:27:00 UTC 2018 x86_64
[task 2018-10-02T20:26:22.161Z] 20:26:22     INFO - CPU: x86
[task 2018-10-02T20:26:22.163Z] 20:26:22     INFO -      GenuineIntel family 6 model 62 stepping 4
[task 2018-10-02T20:26:22.164Z] 20:26:22     INFO -      2 CPUs
[task 2018-10-02T20:26:22.166Z] 20:26:22     INFO - 
[task 2018-10-02T20:26:22.168Z] 20:26:22     INFO - GPU: UNKNOWN
[task 2018-10-02T20:26:22.169Z] 20:26:22     INFO - 
[task 2018-10-02T20:26:22.171Z] 20:26:22     INFO - Crash reason:  SIGSEGV
[task 2018-10-02T20:26:22.172Z] 20:26:22     INFO - Crash address: 0x0
[task 2018-10-02T20:26:22.174Z] 20:26:22     INFO - Process uptime: not available
[task 2018-10-02T20:26:22.175Z] 20:26:22     INFO - 
[task 2018-10-02T20:26:22.177Z] 20:26:22     INFO - Thread 0 (crashed)

Push with failures:
https://treeherder.mozilla.org/#/jobs?repo=autoland&searchStr=1&revision=2de25096cdd54c32488a4d5fdb1fefce6d1fb6db

Backout:
https://hg.mozilla.org/integration/autoland/rev/fa95314b2d87293cbc150662dc5eaadd73624cf0
Flags: needinfo?(bzbarsky)
Depends on: 1496159
Pushed by bzbarsky@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e2ec1eeb812d
Change the default credentials mode for module scripts from 'omit' to 'same-origin'.  r=farre
https://hg.mozilla.org/mozilla-central/rev/e2ec1eeb812d
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Flags: needinfo?(bzbarsky)
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.