1493449 - Change default credentials mode for module scripts from omit to same-origin

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect, P2)

Description

[Dominic Farolino [:domfarolino]]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36

Steps to reproduce:

The HTML Standard is changing such that module scripts (<script type=module>), and their descendants are fetched with "same-origin" credentials mode [1]. This means credentials must be included on same-origin module scripts requests by default. See point (1) in the following HTML PR: https://github.com/whatwg/html/pull/3656#issuecomment-421589162. Some of the other points in that PR are pending spec finalization, and a separate issue should be filed for them.

[1]: https://fetch.spec.whatwg.org/#concept-request-credentials-mode

Comment 1

[Anne (:annevk)]

For reference, we made a similar change for fetch() in bug 1394399.

Comment 2

[Boris Zbarsky [:bzbarsky]]

So just to be clear, that means that for module scripts crossorigin="anonymous" and not having a "crossorigin" attribute set at all have identical credentials behavior, right?

Am I correct, based on https://github.com/whatwg/html/pull/3656#issuecomment-421589162 and the Firefox result on <http://w3c-test.org/html/semantics/scripting-1/the-script-element/module/credentials.sub.html>, that there are no updated web platform tests here yet?

Comment 3

[Dominic Farolino [:domfarolino]]

That is correct. I've started on the WPTs for this alongside the chromium impl, you can see what tests I've edited here: https://crrev.com/c/1239638.

Comment 4

[Anne (:annevk)]

Note that it's also in line with what we typically do for CORS requests. The "unusual" (but good) thing here is that module scripts don't have a "no-cors" mode.

Comment 5

[Boris Zbarsky [:bzbarsky]]

Attachment: Bug 1493449. Change the default credentials mode for module scripts from 'omit' to 'same-origin'. r=farre

The tests come directly from
https://github.com/web-platform-tests/wpt/pull/13176 and
https://github.com/web-platform-tests/wpt/pull/13245

Comment 6

[Andreas Farre [:farre]]

Comment on attachment 9012661 [details]
Bug 1493449.  Change the default credentials mode for module scripts from 'omit' to 'same-origin'.  r=farre

Andreas Farre [:farre] has approved the revision.

Comment 7

[Pulsebot]

Pushed by bzbarsky@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2de25096cdd5
Change the default credentials mode for module scripts from 'omit' to 'same-origin'.  r=farre

Comment 8

[Dorel Luca [:dluca]]

Backed out changeset 2de25096cdd5 (bug 1493449) for mochitest failure

Log:
https://treeherder.mozilla.org/logviewer.html#?job_id=202956169&repo=autoland&lineNumber=2281

  INFO - TEST-START | browser/components/payments/test/mochitest/test_address_picker.html
[task 2018-10-02T20:26:02.891Z] 20:26:02     INFO - GECKO(2267) | [Parent 2267, Gecko_IOThread] WARNING: pipe error (76): Connection reset by peer: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 356
[task 2018-10-02T20:26:02.912Z] 20:26:02     INFO - GECKO(2267) | ###!!! [Parent][MessageChannel] Error: (msgtype=0x190084,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv
[task 2018-10-02T20:26:02.973Z] 20:26:02     INFO - GECKO(2267) | A content process crashed and MOZ_CRASHREPORTER_SHUTDOWN is set, shutting down
[task 2018-10-02T20:26:03.334Z] 20:26:03     INFO - GECKO(2267) | 1538511963325	Marionette	DEBUG	Received observer notification xpcom-will-shutdown
[task 2018-10-02T20:26:03.342Z] 20:26:03     INFO - GECKO(2267) | 1538511963326	Marionette	INFO	Stopped listening on port 2828
[task 2018-10-02T20:26:03.343Z] 20:26:03     INFO - GECKO(2267) | 1538511963326	Marionette	DEBUG	Remote service is inactive
[task 2018-10-02T20:26:03.668Z] 20:26:03     INFO - TEST-INFO | Main app process: exit 0
[task 2018-10-02T20:26:03.673Z] 20:26:03     INFO - runtests.py | Application ran for: 0:00:10.105599
[task 2018-10-02T20:26:03.673Z] 20:26:03     INFO - zombiecheck | Reading PID log: /tmp/tmpYw9qAwpidlog
[task 2018-10-02T20:26:03.673Z] 20:26:03     INFO - ==> process 2267 launched child process 2290
[task 2018-10-02T20:26:03.673Z] 20:26:03     INFO - ==> process 2267 launched child process 2345
[task 2018-10-02T20:26:03.673Z] 20:26:03     INFO - ==> process 2267 launched child process 2360
[task 2018-10-02T20:26:03.673Z] 20:26:03     INFO - ==> process 2267 launched child process 2414
[task 2018-10-02T20:26:03.673Z] 20:26:03     INFO - ==> process 2267 launched child process 2448
[task 2018-10-02T20:26:03.673Z] 20:26:03     INFO - zombiecheck | Checking for orphan process with PID: 2360
[task 2018-10-02T20:26:03.674Z] 20:26:03     INFO - zombiecheck | Checking for orphan process with PID: 2345
[task 2018-10-02T20:26:03.674Z] 20:26:03     INFO - zombiecheck | Checking for orphan process with PID: 2290
[task 2018-10-02T20:26:03.674Z] 20:26:03     INFO - zombiecheck | Checking for orphan process with PID: 2448
[task 2018-10-02T20:26:03.674Z] 20:26:03     INFO - zombiecheck | Checking for orphan process with PID: 2414
[task 2018-10-02T20:26:03.675Z] 20:26:03     INFO - mozcrash Downloading symbols from: https://queue.taskcluster.net/v1/task/fskCj5AbSG-YY_TVEVvBBw/artifacts/public/build/target.crashreporter-symbols.zip
[task 2018-10-02T20:26:11.083Z] 20:26:11     INFO - mozcrash Copy/paste: /usr/local/bin/linux64-minidump_stackwalk /tmp/tmpnKScAN.mozrunner/minidumps/0d2568b3-468b-f2c4-0ded-ca7af3246e59.dmp /tmp/tmpmi4a5S
[task 2018-10-02T20:26:22.092Z] 20:26:22     INFO - mozcrash Saved minidump as /builds/worker/workspace/build/blobber_upload_dir/0d2568b3-468b-f2c4-0ded-ca7af3246e59.dmp
[task 2018-10-02T20:26:22.092Z] 20:26:22     INFO - mozcrash Saved app info as /builds/worker/workspace/build/blobber_upload_dir/0d2568b3-468b-f2c4-0ded-ca7af3246e59.extra
[task 2018-10-02T20:26:22.155Z] 20:26:22     INFO - PROCESS-CRASH | Main app process exited normally | application crashed [@ mozilla::dom::ScriptLoader::GetScriptSource(JSContext*, mozilla::dom::ScriptLoadRequest*)]
[task 2018-10-02T20:26:22.157Z] 20:26:22     INFO - Crash dump filename: /tmp/tmpnKScAN.mozrunner/minidumps/0d2568b3-468b-f2c4-0ded-ca7af3246e59.dmp
[task 2018-10-02T20:26:22.158Z] 20:26:22     INFO - Operating system: Linux
[task 2018-10-02T20:26:22.160Z] 20:26:22     INFO -                   0.0.0 Linux 4.4.0-1014-aws #14taskcluster1-Ubuntu SMP Tue Apr 3 10:27:00 UTC 2018 x86_64
[task 2018-10-02T20:26:22.161Z] 20:26:22     INFO - CPU: x86
[task 2018-10-02T20:26:22.163Z] 20:26:22     INFO -      GenuineIntel family 6 model 62 stepping 4
[task 2018-10-02T20:26:22.164Z] 20:26:22     INFO -      2 CPUs
[task 2018-10-02T20:26:22.166Z] 20:26:22     INFO - 
[task 2018-10-02T20:26:22.168Z] 20:26:22     INFO - GPU: UNKNOWN
[task 2018-10-02T20:26:22.169Z] 20:26:22     INFO - 
[task 2018-10-02T20:26:22.171Z] 20:26:22     INFO - Crash reason:  SIGSEGV
[task 2018-10-02T20:26:22.172Z] 20:26:22     INFO - Crash address: 0x0
[task 2018-10-02T20:26:22.174Z] 20:26:22     INFO - Process uptime: not available
[task 2018-10-02T20:26:22.175Z] 20:26:22     INFO - 
[task 2018-10-02T20:26:22.177Z] 20:26:22     INFO - Thread 0 (crashed)

Push with failures:
https://treeherder.mozilla.org/#/jobs?repo=autoland&searchStr=1&revision=2de25096cdd54c32488a4d5fdb1fefce6d1fb6db

Backout:
https://hg.mozilla.org/integration/autoland/rev/fa95314b2d87293cbc150662dc5eaadd73624cf0

Comment 9

[Pulsebot]

Pushed by bzbarsky@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e2ec1eeb812d
Change the default credentials mode for module scripts from 'omit' to 'same-origin'.  r=farre

Comment 10

[Noemi Erli[:noemi_erli]]

https://hg.mozilla.org/mozilla-central/rev/e2ec1eeb812d