Update ScriptFetchOptions() credentials mode to same-origin

Reflecting whatwg/html#3656 (i.e. the credentials mode of https://html.spec.whatwg.org/C/#default-classic-script-fetch-options was changed to same-origin). This CL affects credentials mode used in dynamic import() executed from: - setTimeout("import()") on Window Note: this CL changes the credentials mode used in this case to same-origin, but actually it should be plumbed from initiating scripts (crbug.com/1133238). - javascript: URL - Scripts in isolated worlds Bug: 1114988, 1133238 Change-Id: I87c7083bce99276e6de05745f79bf4e2a0ba6de6 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2409895 Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Dominic Farolino <dom@chromium.org> Cr-Commit-Position: refs/heads/master@{#818505} GitOrigin-RevId: 314164e7cd5c59ca0aea95739f29d5634fe98817
mjfroman · Oct 19, 2020 · 1d43891 · 1d43891
1 parent cf6ed45
commit 1d43891
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 18 deletions.
diff --git a/blink/renderer/bindings/core/v8/worker_or_worklet_script_controller.cc b/blink/renderer/bindings/core/v8/worker_or_worklet_script_controller.cc
@@ -329,20 +329,10 @@ ScriptEvaluationResult WorkerOrWorkletScriptController::EvaluateAndReturnValue(
   // Use default ReferrerScriptInfo here, as
   // - A work{er,let} script doesn't have a nonce, and
   // - a work{er,let} script is always "not parser inserted".
-  // TODO(crbug/1114988): After crbug/1114988 is fixed, this can be the
-  // default ScriptFetchOptions(). Currently the default ScriptFetchOptions()
-  // is not used because it has CredentialsMode::kOmit.
-  // TODO(crbug/1114989): Plumb this from ClassicScript.
-  ScriptFetchOptions script_fetch_options(
-      String(), IntegrityMetadataSet(), String(),
-      ParserDisposition::kNotParserInserted,
-      network::mojom::CredentialsMode::kSameOrigin,
-      network::mojom::ReferrerPolicy::kDefault,
-      mojom::blink::FetchImportanceMode::kImportanceAuto);
-
+  // TODO(crbug/1114989): Plumb ScriptFetchOptions from ClassicScript.
   ScriptEvaluationResult result = V8ScriptRunner::CompileAndRunScript(
       isolate_, script_state_, global_scope_, source_code, base_url,
-      sanitize_script_errors, script_fetch_options, v8_cache_options,
+      sanitize_script_errors, ScriptFetchOptions(), v8_cache_options,
       std::move(rethrow_errors));
 
   if (result.GetResultType() == ScriptEvaluationResult::ResultType::kAborted)

diff --git a/blink/renderer/platform/loader/fetch/script_fetch_options.h b/blink/renderer/platform/loader/fetch/script_fetch_options.h
@@ -32,14 +32,11 @@ class PLATFORM_EXPORT ScriptFetchOptions final {
   // https://html.spec.whatwg.org/C/#default-classic-script-fetch-options
   // "The default classic script fetch options are a script fetch options whose
   // cryptographic nonce is the empty string, integrity metadata is the empty
-  // string, parser metadata is "not-parser-inserted", and credentials mode
-  // is "omit"." [spec text]
-  // TODO(domfarolino): Update this to use probably "include" or "same-origin"
-  // credentials mode, once spec decision is made at
-  // https://github.com/whatwg/html/pull/3656.
+  // string, parser metadata is "not-parser-inserted", credentials mode is
+  // "same-origin", and referrer policy is the empty string." [spec text]
   ScriptFetchOptions()
       : parser_state_(ParserDisposition::kNotParserInserted),
-        credentials_mode_(network::mojom::CredentialsMode::kOmit),
+        credentials_mode_(network::mojom::CredentialsMode::kSameOrigin),
         referrer_policy_(network::mojom::ReferrerPolicy::kDefault),
         importance_(mojom::FetchImportanceMode::kImportanceAuto) {}