Closed Bug 1822699 Opened 1 year ago Closed 11 months ago

Dynamic import credentials failure on WPT

Categories

(Core :: DOM: Workers, defect, P3)

Product:
Core
Component:
DOM: Workers
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
116 Branch
Tracking Flags:
Tracking Status
firefox116 --- fixed

People

(Reporter: evilpie, Assigned: allstars.chh)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1822699 - Use credentials="same origin" for dynamic import scripts in a classic worker script.
48 bytes, text/x-phabricator-request
Details | Review

We are failing two tests on https://wpt.fyi/results/workers/modules/dedicated-worker-options-credentials.html. Those shouldn't have anything to do with CSP so they should probably pass.

new Worker() with type=classic should always send the credentials for same-origin dynamic imports regardless of the credentials option (omit).

new Worker() with type=classic should never send the credentials for cross-origin dynamic imports regardless of the credentials option (include).

Severity: -- → S3
Priority: -- → P3
Assignee: nobody → allstars.chh

HostLoadImportedModule,
https://html.spec.whatwg.org/multipage/webappapis.html#hostloadimportedmodule

<spec>
6. If referrer is a Script Record or a Module Record, then:
3. Set fetchOptions to the descendant script fetch options for
referencingScript's fetch options.
</spec>

And the referencingScript can be either:

  • a classic worker script.
  • a module worker script.

For the classic worker script, its fetch options are defined in
'fetch a classic worker script'
https://html.spec.whatwg.org/multipage/webappapis.html#fetch-a-classic-worker-script
See the algorithm processResponseConsumeBody

<spec>
5. Let script be the result of creating a classic script using
source text, script settings object, response's URL, and the
default classic script fetch options.
</spec>

Default classic script fetch options
https://html.spec.whatwg.org/multipage/webappapis.html#default-classic-script-fetch-options

<spec>
The default classic script fetch options are a script fetch options
whose ... credentials mode is "same-origin", ....
</spec>

For the module worker script, its fetch options are defined in
'fetch a worklet/module worker script graph'

https://html.spec.whatwg.org/multipage/webappapis.html#fetch-a-worklet/module-worker-script-graph

<spec>

  1. Let options be a script fetch options whose ... credentials mode is
    credentials mode ...
    </sec>

where credentials mode is provided when a worklet or a module worker
is created.

Pushed by allstars.chh@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/bb309ccead73
Use credentials="same origin" for dynamic import scripts in a classic worker script. r=jonco

https://hg.mozilla.org/mozilla-central/rev/bb309ccead73

Status: NEW → RESOLVED
Closed: 11 months ago
status-firefox116: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: