[Webkit-unassigned] [Bug 206811] New: Same-origin type="module" scripts only send cookies with crossorigin="use-credential" set
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Jan 26 15:50:54 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=206811
Bug ID: 206811
Summary: Same-origin type="module" scripts only send cookies
with crossorigin="use-credential" set
Product: WebKit
Version: Safari 13
Hardware: All
OS: macOS 10.15
Status: NEW
Severity: Normal
Priority: P2
Component: Platform
Assignee: webkit-unassigned at lists.webkit.org
Reporter: webkitbugzilla at accounts.rdmurphy.org
Safari seems to diverge from the other browsers (Chrome, Chromium Edge and Firefox) in how it treats the sending of cookies with requests with same-origin type="module" script tags, and it seems to exist even if "cross site tracking" is deactivated. At first I thought it was CORS related, but because the script is being served from the same-origin I believe CORS wouldn't be required. The only way I was able to accomplish actually sending cookies on such a request was with passing `crossorigin="use-credentials"`.
This does seem similar in nature to these outstanding bugs:
https://bugs.webkit.org/show_bug.cgi?id=171566
https://bugs.webkit.org/show_bug.cgi?id=171550
What's even stranger is that it _does_ seem to be fine with fetch(). I can successfully send a fetch() request for the same file in the console of the page (which should throw an error if the cookies were not included in the request).
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200126/c57cdfbc/attachment.htm>
More information about the webkit-unassigned
mailing list