Skip to content

Commit

Permalink
Bug 1493449. Change the default credentials mode for module scripts f…
Browse files Browse the repository at this point in the history
…rom 'omit' to 'same-origin'. r=farre

The tests come directly from
web-platform-tests/wpt#13176 and
web-platform-tests/wpt#13245

Differential Revision: https://phabricator.services.mozilla.com/D7113
  • Loading branch information
bzbarsky committed Oct 6, 2018
1 parent 10ad45b commit d3c0e3a
Show file tree
Hide file tree
Showing 4 changed files with 90 additions and 3 deletions.
5 changes: 2 additions & 3 deletions dom/script/ScriptLoader.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -1073,9 +1073,8 @@ ScriptLoader::StartLoad(ScriptLoadRequest* aRequest)
// According to the spec, module scripts have different behaviour to classic
// scripts and always use CORS.
securityFlags = nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS;
if (aRequest->CORSMode() == CORS_NONE) {
securityFlags |= nsILoadInfo::SEC_COOKIES_OMIT;
} else if (aRequest->CORSMode() == CORS_ANONYMOUS) {
if (aRequest->CORSMode() == CORS_NONE ||
aRequest->CORSMode() == CORS_ANONYMOUS) {
securityFlags |= nsILoadInfo::SEC_COOKIES_SAME_ORIGIN;
} else {
MOZ_ASSERT(aRequest->CORSMode() == CORS_USE_CREDENTIALS);
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[dynamic-imports-credentials.sub.html]
[Dynamic imports should be loaded with or without the credentials based on the same-origin-ness and the parent script's crossOrigin attribute]
expected: FAIL
bug: 1342012
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
<!DOCTYPE html>
<meta charset="utf-8">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>

<script type="text/javascript">
host_info = get_host_info();

document.cookie = 'same=1';

const setCookiePromise = fetch(
'http://{{domains[www2]}}:{{ports[http][0]}}/cookies/resources/set-cookie.py?name=cross&path=/html/semantics/scripting-1/the-script-element/module/',
{
mode: 'no-cors',
credentials: 'include',
});

const windowLoadPromise = new Promise(resolve => {
window.addEventListener('load', () => {
resolve();
});
});

promise_test(t => {
const iframe = document.createElement('iframe');

return Promise.all([setCookiePromise, windowLoadPromise]).then(() => {
const messagePromise = new Promise(resolve => {
window.addEventListener('message', event => {
resolve();
});
});

iframe.src = '../resources/dynamic-import-credentials-iframe.sub.html';
document.body.appendChild(iframe);

return messagePromise;
}).then(() => {
const w = iframe.contentWindow;

assert_equals(w.sameOriginNoneDynamicDescendant, 'found',
'Dynamic descendant modules should be loaded with the credentials when the crossOrigin attribute is not specified and the target is same-origin');
assert_equals(w.sameOriginAnonymousDynamicDescendant, 'found',
'Dynamic descendant modules should be loaded with the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is same-origin');
assert_equals(w.sameOriginUseCredentialsDynamicDescendant, 'found',
'Dynamic descendant modules should be loaded with the credentials when the crossOrigin attribute is specified with "use-credentials" as its value and the target is same-origin');
assert_equals(w.crossOriginNoneDynamicDescendant, 'not found',
'Dynamic descendant modules should not be loaded with the credentials when the crossOrigin attribute is not specified and the target is cross-origin');
assert_equals(w.crossOriginAnonymousDynamicDescendant, 'not found',
'Dynamic descendant modules should not be loaded with the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is cross-origin');
assert_equals(w.crossOriginUseCredentialsDynamicDescendant, 'found',
'Dynamic descendant modules should be loaded with the credentials when the crossOrigin attribute is specified with "use-credentials" as its value and the target is cross-origin');
});
}, 'Dynamic imports should be loaded with or without the credentials based on the same-origin-ness and the parent script\'s crossOrigin attribute');
</script>
<body>
</body>
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
<!DOCTYPE html>
<script type="module">
import("./check-cookie.py?id=sameOriginNoneDynamicDescendant&cookieName=same");
</script>
<script type="module" crossOrigin="anonymous">
import("./check-cookie.py?id=sameOriginAnonymousDynamicDescendant&cookieName=same");
</script>
<script type="module" crossOrigin="use-credentials">
import("./check-cookie.py?id=sameOriginUseCredentialsDynamicDescendant&cookieName=same");
</script>
<script type="module">
import("http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginNoneDynamicDescendant&cookieName=cross");
</script>
<script type="module" crossOrigin="anonymous">
import("http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginAnonymousDynamicDescendant&cookieName=cross");
</script>
<script type="module" crossOrigin="use-credentials">
import("http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginUseCredentialsDynamicDescendant&cookieName=cross");
</script>


<script type="text/javascript">
window.addEventListener('load', event => {
window.parent.postMessage({}, '*');
});
</script>

0 comments on commit d3c0e3a

Please sign in to comment.