Open Bug 1854289 Opened 2 years ago Updated 1 year ago

fetch() with "omit" credentials matches Link preload with "same-origin" credentials

Categories

(Core :: DOM: Networking, defect, P2)

Product:
Core
Component:
DOM: Networking
Version:
Firefox 117
Type:
defect
Points:
3

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: austin.donisan, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged][necko-priority-next])

Attachments

(5 files)

preload-test.html
183 bytes, text/html
Details
screenshot_117.0.jpg
189.16 KB, image/jpeg
Details
about:logging output for https://server.hideaway-hotel.com/test1.html
988.21 KB, text/plain
Details
Firefox dev tools showing 1 request for test.json
12.15 KB, image/png
Details
Chrome dev tools showing 2 requests for test.json
16.13 KB, image/png
Details
Attached file preload-test.html

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0

Steps to reproduce:

Preload a same-domain url using the Link tag with the "fetch" type and the "anonymous" crossorigin value. Then request the same url with fetch(), but with credentials omitted. Simple test case is attached.

Actual results:

Only one request, which includes cookies, is made. fetch() incorrectly returns this response.

Expected results:

Two requests should be made, one with cookies and one without. fetch() should return the response for the cookie-less request.

The "anonymous" crossorigin attribute should set the credentials mode to "same-origin" for the preload request, so it shouldn't match the fetch() request with a credentials mode of "omit".

https://html.spec.whatwg.org/multipage/urls-and-fetching.html#cors-settings-attributes
https://html.spec.whatwg.org/multipage/links.html#preload-key

Chrome makes 2 requests for the attached test case.

Also, setting crossorigin="use-credentials" (instead of "anonymous") causes Firefox to triggers 2 requests.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Networking' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Networking
Product: Firefox → Core
Attached image screenshot_117.0.jpg

Austin, this is the error you were referring at?

Flags: needinfo?(austin.donisan)

No, you need to host the file on an actual website since fetch() doesn't work for file:// urls.

Flags: needinfo?(austin.donisan)

I hosted the test case to make this easier to check:

https://server.hideaway-hotel.com/test1.html

Same as the other bug you created, can you submit some http logs for us to review?
You can use about:logging with the networking preset and log to file and upload here or email to necko@mozilla.com.
Thanks!

Flags: needinfo?(austin.donisan)
Flags: needinfo?(austin.donisan)
Blocks: fetch
Severity: -- → S3
Priority: -- → P2
Whiteboard: [necko-triaged][necko-priority-new]
Whiteboard: [necko-triaged][necko-priority-new] → [necko-triaged][necko-priority-review]
Flags: needinfo?(rjesup)
Flags: needinfo?(smayya)

Thank you Austin for the logs and hosting the test file.
This is interesting.
First I thought it could be an issue with Devtools, however I confirmed from the logs that we are only sending 1 request.
We need to change our logic to determine if we have any preloads (particularly CORS handling) before fetching here

Points: --- → 3
Rank: 5
Flags: needinfo?(smayya)
Flags: needinfo?(rjesup)
Whiteboard: [necko-triaged][necko-priority-review] → [necko-triaged][necko-priority-next]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: