Loader in certain situations causes issues in Chrome

[kitsonk]

From @rodneyrehm on dojo/dojo2#15:

The line (<any> node).crossOrigin = 'anonymous'; makes Google Chrome request the resource without any cookies, thus killing my session.

I observed this when opening intern/client.html in a browser, while served from a server that requires authentication (session cookie). All resources are loaded from the same origin, so the forced CORS request imho makes no sense. Shouldn't this only be activated in case we're actually loading something from a different origin?

[vansimke]

I've played around with this and I think this may be related to a performance issue in CI. If I set the timeout for the .get() test to 60 seconds and the others to 30 seconds, then all the tests pass in Chrome and Android. Not sure if that is an acceptable solution though since this means that these tests are going to be prone to fail at seemingly random intervals.

[kitsonk]

I suspect this is unrelated with #95 then... what you are saying might be true for #95, but I don't think you recreated the scenario. I might have over correlated the issues. We should try to see, as reported above and see the cookie behaviour between the two.

[vansimke]

Sorry, left comment on wrong issue...

[tomdye]

Looks like it was added to enable better error stack traces for cross domain scripts:
https://errorception.com/docs/cors

The original commit:
dojo/intern-only-dojo@5485dfc

[tomdye]

requirejs/text performs some checks to determine if the resource is on another domain, we could implement similar? https://github.com/requirejs/text/blob/master/text.js#L128

[rodneyrehm]

Chrome bug 412163 for context.

[tomdye]

If you look at the documentation here:
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/img#attr-crossorigin

It suggests that the crossOrigin: anonymous is designed for exactly the case where no cookie etc.. is sent. However other documentation suggesting it's use for enabling cross origin stack traces say to use anonymous. Might be worth changing to use-credentials or implementing a check to see if the resource is on a different domain before adding anything at all.

The documentation further says that the use of crossOrigin dictates that the request must be done using CORS or not.

[tomdye]

@kitsonk has suggested adding a cross-origin-stack-trace has flag to the loader, I anticipate that this would take an argument of anonymous or use-credentials and default to false which would not add the crossOrigin attr to the script tag in the first place.

@jason0x43 any thoughts on if this will impact intern?

[jason0x43]

I'm not really familiar enough with the issue to say. As long as the behavior is optional, Intern could set the parameter to 'anonymous' by default in client.html to maintain current behavior, and a query param or some other mechanism could be used to changed it if necessary.

[kitsonk]

I still think we don't have a loader that works in a secured cross browser environment. We need to dig into this more.

[rorticus]

PR for controlling the crossorigin property on the script tags,

#103

[rorticus]

Talked with @tomdye and we agreed we can close this once the PR lands.