[Webkit-unassigned] [Bug 206811] New: Same-origin type="module" scripts only send cookies with crossorigin="use-credential" set

Sun Jan 26 15:50:54 PST 2020

https://bugs.webkit.org/show_bug.cgi?id=206811

            Bug ID: 206811
           Summary: Same-origin type="module" scripts only send cookies
                    with crossorigin="use-credential" set
           Product: WebKit
           Version: Safari 13
          Hardware: All
                OS: macOS 10.15
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Platform
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: webkitbugzilla at accounts.rdmurphy.org

Safari seems to diverge from the other browsers (Chrome, Chromium Edge and Firefox) in how it treats the sending of cookies with requests with same-origin type="module" script tags, and it seems to exist even if "cross site tracking" is deactivated. At first I thought it was CORS related, but because the script is being served from the same-origin I believe CORS wouldn't be required. The only way I was able to accomplish actually sending cookies on such a request was with passing `crossorigin="use-credentials"`.

This does seem similar in nature to these outstanding bugs:
https://bugs.webkit.org/show_bug.cgi?id=171566
https://bugs.webkit.org/show_bug.cgi?id=171550

What's even stranger is that it _does_ seem to be fine with fetch(). I can successfully send a fetch() request for the same file in the console of the page (which should throw an error if the cookies were not included in the request).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200126/c57cdfbc/attachment.htm>