Bug 1493449. Change the default credentials mode for module scripts from 'omit' to 'same-origin'. r=farre
☠☠ backed out by fa95314b2d87 ☠ ☠
authorBoris Zbarsky <bzbarsky@mit.edu>
Tue, 02 Oct 2018 07:11:23 +0000
changeset 439270 2de25096cdd54c32488a4d5fdb1fefce6d1fb6db
parent 439269 5e5d6abb39afe0a23555db526a5bbbf3d59b4cd9
child 439271 d530d3abb3956a2d59636e109cc81aa78e9cc11d
push id34760
push userdvarga@mozilla.com
push dateWed, 03 Oct 2018 04:19:01 +0000
treeherdermozilla-central@9e0a27bf253e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersfarre
bugs1493449, 13176, 13245
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1493449. Change the default credentials mode for module scripts from 'omit' to 'same-origin'. r=farre The tests come directly from https://github.com/web-platform-tests/wpt/pull/13176 and https://github.com/web-platform-tests/wpt/pull/13245 Differential Revision: https://phabricator.services.mozilla.com/D7113
dom/script/ScriptLoader.cpp
testing/web-platform/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials.sub.html.ini
testing/web-platform/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-fetch-error.sub.html.ini
testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/credentials.sub.html
testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials.sub.html
testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/resources/credentials-iframe.sub.html
testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/resources/dynamic-import-credentials-iframe.sub.html
--- a/dom/script/ScriptLoader.cpp
+++ b/dom/script/ScriptLoader.cpp
@@ -1069,19 +1069,18 @@ ScriptLoader::StartLoad(ScriptLoadReques
   nsIDocShell* docshell = window->GetDocShell();
   nsCOMPtr<nsIInterfaceRequestor> prompter(do_QueryInterface(docshell));
 
   nsSecurityFlags securityFlags;
   if (aRequest->IsModuleRequest()) {
     // According to the spec, module scripts have different behaviour to classic
     // scripts and always use CORS.
     securityFlags = nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS;
-    if (aRequest->CORSMode() == CORS_NONE) {
-      securityFlags |= nsILoadInfo::SEC_COOKIES_OMIT;
-    } else if (aRequest->CORSMode() == CORS_ANONYMOUS) {
+    if (aRequest->CORSMode() == CORS_NONE ||
+        aRequest->CORSMode() == CORS_ANONYMOUS) {
       securityFlags |= nsILoadInfo::SEC_COOKIES_SAME_ORIGIN;
     } else {
       MOZ_ASSERT(aRequest->CORSMode() == CORS_USE_CREDENTIALS);
       securityFlags |= nsILoadInfo::SEC_COOKIES_INCLUDE;
     }
   } else {
     securityFlags = aRequest->CORSMode() == CORS_NONE
       ? nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials.sub.html.ini
@@ -0,0 +1,4 @@
+[dynamic-imports-credentials.sub.html]
+  [Dynamic imports should be loaded with or without the credentials based on the same-origin-ness and the parent script's crossOrigin attribute]
+    expected: FAIL
+    bug: 1342012
--- a/testing/web-platform/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-fetch-error.sub.html.ini
+++ b/testing/web-platform/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-fetch-error.sub.html.ini
@@ -1,3 +1,4 @@
 [dynamic-imports-fetch-error.sub.html]
   [import(): error cases occuring during fetching]
     expected: FAIL
+    bug: 1342012
--- a/testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/credentials.sub.html
+++ b/testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/credentials.sub.html
@@ -34,38 +34,38 @@ promise_test(t => {
 
     iframe.src = 'resources/credentials-iframe.sub.html';
     document.body.appendChild(iframe);
 
     return messagePromise;
   }).then(() => {
     const w = iframe.contentWindow;
 
-    assert_equals(w.sameOriginNone, 'not found',
-                  'Modules should be loaded without the credentials when the crossOrigin attribute is not specified and the target is same-origin');
+    assert_equals(w.sameOriginNone, 'found',
+                  'Modules should be loaded with the credentials when the crossOrigin attribute is not specified and the target is same-origin');
     assert_equals(w.sameOriginAnonymous, 'found',
                   'Modules should be loaded with the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is same-origin');
     assert_equals(w.sameOriginUseCredentials, 'found',
                   'Modules should be loaded with the credentials when the crossOrigin attribute is specified with "use-credentials" as its value and the target is same-origin');
     assert_equals(w.crossOriginNone, 'not found',
-                  'Modules should be loaded without the credentials when the crossOrigin attribute is not specified and the target is cross-origin');
+                  'Modules should not be loaded with the credentials when the crossOrigin attribute is not specified and the target is cross-origin');
     assert_equals(w.crossOriginAnonymous, 'not found',
-                  'Modules should be loaded without the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is cross-origin');
+                  'Modules should not be loaded with the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is cross-origin');
     assert_equals(w.crossOriginUseCredentials, 'found',
                   'Modules should be loaded with the credentials when the crossOrigin attribute is specified with "use-credentials" as its value and the target is cross-origin');
 
-    assert_equals(w.sameOriginNoneDecendent, 'not found',
-                  'Decendent modules should be loaded without the credentials when the crossOrigin attribute is not specified and the target is same-origin');
-    assert_equals(w.sameOriginAnonymousDecendent, 'found',
-                  'Decendent modules should be loaded with the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is same-origin');
-    assert_equals(w.sameOriginUseCredentialsDecendent, 'found',
-                  'Decendent modules should be loaded with the credentials when the crossOrigin attribute is specified with "use-credentials" as its value and the target is same-origin');
-    assert_equals(w.crossOriginNoneDecendent, 'not found',
-                  'Decendent modules should be loaded without the credentials when the crossOrigin attribute is not specified and the target is cross-origin');
-    assert_equals(w.crossOriginAnonymousDecendent, 'not found',
-                  'Decendent modules should be loaded without the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is cross-origin');
-    assert_equals(w.crossOriginUseCredentialsDecendent, 'found',
-                  'Decendent modules should be loaded with the credentials when the crossOrigin attribute is specified with "use-credentials" as its value and the target is cross-origin');
+    assert_equals(w.sameOriginNoneDescendant, 'found',
+                  'Descendant modules should be loaded with the credentials when the crossOrigin attribute is not specified and the target is same-origin');
+    assert_equals(w.sameOriginAnonymousDescendant, 'found',
+                  'Descendant modules should be loaded with the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is same-origin');
+    assert_equals(w.sameOriginUseCredentialsDescendant, 'found',
+                  'Descendant modules should be loaded with the credentials when the crossOrigin attribute is specified with "use-credentials" as its value and the target is same-origin');
+    assert_equals(w.crossOriginNoneDescendant, 'not found',
+                  'Descendant modules should not be loaded with the credentials when the crossOrigin attribute is not specified and the target is cross-origin');
+    assert_equals(w.crossOriginAnonymousDescendant, 'not found',
+                  'Descendant modules should not be loaded with the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is cross-origin');
+    assert_equals(w.crossOriginUseCredentialsDescendant, 'found',
+                  'Descendant modules should be loaded with the credentials when the crossOrigin attribute is specified with "use-credentials" as its value and the target is cross-origin');
 });
 }, 'Modules should be loaded with or without the credentials based on the same-origin-ness and the crossOrigin attribute');
 </script>
 <body>
 </body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials.sub.html
@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+
+<script type="text/javascript">
+host_info = get_host_info();
+
+document.cookie = 'same=1';
+
+const setCookiePromise = fetch(
+    'http://{{domains[www2]}}:{{ports[http][0]}}/cookies/resources/set-cookie.py?name=cross&path=/html/semantics/scripting-1/the-script-element/module/',
+    {
+      mode: 'no-cors',
+      credentials: 'include',
+    });
+
+const windowLoadPromise = new Promise(resolve => {
+  window.addEventListener('load', () => {
+    resolve();
+  });
+});
+
+promise_test(t => {
+  const iframe = document.createElement('iframe');
+
+  return Promise.all([setCookiePromise, windowLoadPromise]).then(() => {
+    const messagePromise = new Promise(resolve => {
+      window.addEventListener('message', event => {
+        resolve();
+      });
+    });
+
+    iframe.src = '../resources/dynamic-import-credentials-iframe.sub.html';
+    document.body.appendChild(iframe);
+
+    return messagePromise;
+  }).then(() => {
+    const w = iframe.contentWindow;
+
+    assert_equals(w.sameOriginNoneDynamicDescendant, 'found',
+                  'Dynamic descendant modules should be loaded with the credentials when the crossOrigin attribute is not specified and the target is same-origin');
+    assert_equals(w.sameOriginAnonymousDynamicDescendant, 'found',
+                  'Dynamic descendant modules should be loaded with the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is same-origin');
+    assert_equals(w.sameOriginUseCredentialsDynamicDescendant, 'found',
+                  'Dynamic descendant modules should be loaded with the credentials when the crossOrigin attribute is specified with "use-credentials" as its value and the target is same-origin');
+    assert_equals(w.crossOriginNoneDynamicDescendant, 'not found',
+                  'Dynamic descendant modules should not be loaded with the credentials when the crossOrigin attribute is not specified and the target is cross-origin');
+    assert_equals(w.crossOriginAnonymousDynamicDescendant, 'not found',
+                  'Dynamic descendant modules should not be loaded with the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is cross-origin');
+    assert_equals(w.crossOriginUseCredentialsDynamicDescendant, 'found',
+                  'Dynamic descendant modules should be loaded with the credentials when the crossOrigin attribute is specified with "use-credentials" as its value and the target is cross-origin');
+});
+}, 'Dynamic imports should be loaded with or without the credentials based on the same-origin-ness and the parent script\'s crossOrigin attribute');
+</script>
+<body>
+</body>
--- a/testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/resources/credentials-iframe.sub.html
+++ b/testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/resources/credentials-iframe.sub.html
@@ -20,31 +20,31 @@
         crossOrigin="anonymous">
 </script>
 <script type="module"
         src="http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginUseCredentials&cookieName=cross"
         crossOrigin="use-credentials">
 </script>
 
 <script type="module">
-import "./check-cookie.py?id=sameOriginNoneDecendent&cookieName=same";
+import "./check-cookie.py?id=sameOriginNoneDescendant&cookieName=same";
 </script>
 <script type="module" crossOrigin="anonymous">
-import "./check-cookie.py?id=sameOriginAnonymousDecendent&cookieName=same";
+import "./check-cookie.py?id=sameOriginAnonymousDescendant&cookieName=same";
 </script>
 <script type="module" crossOrigin="use-credentials">
-import "./check-cookie.py?id=sameOriginUseCredentialsDecendent&cookieName=same";
+import "./check-cookie.py?id=sameOriginUseCredentialsDescendant&cookieName=same";
 </script>
 <script type="module">
-import "http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginNoneDecendent&cookieName=cross";
+import "http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginNoneDescendant&cookieName=cross";
 </script>
 <script type="module" crossOrigin="anonymous">
-import "http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginAnonymousDecendent&cookieName=cross";
+import "http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginAnonymousDescendant&cookieName=cross";
 </script>
 <script type="module" crossOrigin="use-credentials">
-import "http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginUseCredentialsDecendent&cookieName=cross";
+import "http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginUseCredentialsDescendant&cookieName=cross";
 </script>
 
 <script type="text/javascript">
 window.addEventListener('load', event => {
   window.parent.postMessage({}, '*');
 });
 </script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/resources/dynamic-import-credentials-iframe.sub.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<script type="module">
+import("./check-cookie.py?id=sameOriginNoneDynamicDescendant&cookieName=same");
+</script>
+<script type="module" crossOrigin="anonymous">
+import("./check-cookie.py?id=sameOriginAnonymousDynamicDescendant&cookieName=same");
+</script>
+<script type="module" crossOrigin="use-credentials">
+import("./check-cookie.py?id=sameOriginUseCredentialsDynamicDescendant&cookieName=same");
+</script>
+<script type="module">
+import("http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginNoneDynamicDescendant&cookieName=cross");
+</script>
+<script type="module" crossOrigin="anonymous">
+import("http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginAnonymousDynamicDescendant&cookieName=cross");
+</script>
+<script type="module" crossOrigin="use-credentials">
+import("http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginUseCredentialsDynamicDescendant&cookieName=cross");
+</script>
+
+
+<script type="text/javascript">
+window.addEventListener('load', event => {
+  window.parent.postMessage({}, '*');
+});
+</script>