From b406a806a09579ecdd46eba0190268405fd96e09 Mon Sep 17 00:00:00 2001 From: Boris Zbarsky Date: Sat, 6 Oct 2018 04:49:13 +0000 Subject: [PATCH] Bug 1493449. Change the default credentials mode for module scripts from 'omit' to 'same-origin'. r=farre The tests come directly from https://github.com/web-platform-tests/wpt/pull/13176 and https://github.com/web-platform-tests/wpt/pull/13245 Differential Revision: https://phabricator.services.mozilla.com/D7113 --- dom/script/ScriptLoader.cpp | 5 +- .../dynamic-imports-credentials.sub.html.ini | 4 ++ .../dynamic-imports-credentials.sub.html | 58 +++++++++++++++++++ ...dynamic-import-credentials-iframe.sub.html | 26 +++++++++ 4 files changed, 90 insertions(+), 3 deletions(-) create mode 100644 testing/web-platform/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials.sub.html.ini create mode 100644 testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials.sub.html create mode 100644 testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/resources/dynamic-import-credentials-iframe.sub.html diff --git a/dom/script/ScriptLoader.cpp b/dom/script/ScriptLoader.cpp index bf3442dd6173..a2df7b19269d 100644 --- a/dom/script/ScriptLoader.cpp +++ b/dom/script/ScriptLoader.cpp @@ -1073,9 +1073,8 @@ ScriptLoader::StartLoad(ScriptLoadRequest* aRequest) // According to the spec, module scripts have different behaviour to classic // scripts and always use CORS. securityFlags = nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS; - if (aRequest->CORSMode() == CORS_NONE) { - securityFlags |= nsILoadInfo::SEC_COOKIES_OMIT; - } else if (aRequest->CORSMode() == CORS_ANONYMOUS) { + if (aRequest->CORSMode() == CORS_NONE || + aRequest->CORSMode() == CORS_ANONYMOUS) { securityFlags |= nsILoadInfo::SEC_COOKIES_SAME_ORIGIN; } else { MOZ_ASSERT(aRequest->CORSMode() == CORS_USE_CREDENTIALS); diff --git a/testing/web-platform/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials.sub.html.ini b/testing/web-platform/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials.sub.html.ini new file mode 100644 index 000000000000..99df447e4c51 --- /dev/null +++ b/testing/web-platform/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials.sub.html.ini @@ -0,0 +1,4 @@ +[dynamic-imports-credentials.sub.html] + [Dynamic imports should be loaded with or without the credentials based on the same-origin-ness and the parent script's crossOrigin attribute] + expected: FAIL + bug: 1342012 diff --git a/testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials.sub.html b/testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials.sub.html new file mode 100644 index 000000000000..b939a3ef1639 --- /dev/null +++ b/testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials.sub.html @@ -0,0 +1,58 @@ + + + + + + + + + diff --git a/testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/resources/dynamic-import-credentials-iframe.sub.html b/testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/resources/dynamic-import-credentials-iframe.sub.html new file mode 100644 index 000000000000..836ece62c5f6 --- /dev/null +++ b/testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/resources/dynamic-import-credentials-iframe.sub.html @@ -0,0 +1,26 @@ + + + + + + + + + +