Credentials on scripts imported by importScripts() #1497

makotoshimazu · 2020-01-15T08:38:33Z

This is similar to whatwg/html#2557.
Chrome now has a bug around the credentials mode (issue), and I'm now wondering what is the correct value for the request's credentials mode.

As far as I read the spec, importScripts() uses fetch a classic worker-imported script which doesn't set any value to the credentials mode, while the main script is set to "same-origin". The default value of the request's credentials mode is "omit", so I think it's "omit".

I implemented the byte-for-byte checking in that way recently, but found that the existing implementation seems to use "include".
What would be the best value for that?

So far, I'm feeling that using "same-origin" would be less confusing.

mfalken · 2020-01-17T07:23:11Z

It looks like we changed fetch() to use "same-origin" credentials by default (whatwg/fetch#585), probably "importScripts()" in workers should also do that?

It'd be useful to see what other browsers do here. cc/ @jakearchibald @annevk

annevk · 2020-01-17T14:35:56Z

I would expect importScripts() to use "include", similar to classic scripts. Or is importScripts() different from classic scripts in service workers?

annevk · 2020-01-17T14:36:17Z

cc @domenic

domenic · 2020-01-17T19:03:16Z

I agree with @annevk that I would expect it to use "include". I suspect this was lost in a refactoring. Some research:

The earliest HTML commit snapshot, before integration with the Fetch Standard, uses a "fetch" algorithm defined in HTML. That algorithm sends cookies by default unless invoked with the "block cookies" flag, which is not the case here.
This old revision explicitly sets credentials mode to "include".

I would guess this got lost when introducing module scripts, but I didn't spend the time to confirm.

"same-origin" would be a nice tightening, but probably we should just go back to what the old spec says.

A spec pull request and web platform tests would be very welcome, if you have the time.

Before the new byte-for-byte checking, credentials_mode was set to kInclude for imported scripts. However, ServiceWorkerSingleScriptUpdateChecker sets the flag to kOmit because it's missed from the current spec. This CL is to correct the mode to fix the unintentional change. Spec issue: w3c/ServiceWorker#1497 Bug: 1042159 Change-Id: I553d7bec015eb4cb80f7f59c640f26491fa02b75

Before the new byte-for-byte checking, credentials_mode was set to kInclude for imported scripts. However, ServiceWorkerSingleScriptUpdateChecker sets the flag to kOmit because it's missed from the current spec. This CL is to correct the mode to fix the unintentional change. Spec issue: w3c/ServiceWorker#1497 Bug: 1042159 Change-Id: I553d7bec015eb4cb80f7f59c640f26491fa02b75 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2032689 Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org> Commit-Queue: Makoto Shimazu <shimazu@chromium.org> Cr-Commit-Position: refs/heads/master@{#737253}

…as credentials, a=testonly Automatic update from web-platform-tests ServiceWorkerSingleScriptUpdateChecker has credentials Before the new byte-for-byte checking, credentials_mode was set to kInclude for imported scripts. However, ServiceWorkerSingleScriptUpdateChecker sets the flag to kOmit because it's missed from the current spec. This CL is to correct the mode to fix the unintentional change. Spec issue: w3c/ServiceWorker#1497 Bug: 1042159 Change-Id: I553d7bec015eb4cb80f7f59c640f26491fa02b75 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2032689 Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org> Commit-Queue: Makoto Shimazu <shimazu@chromium.org> Cr-Commit-Position: refs/heads/master@{#737253} -- wpt-commits: acc51c1f9cb98db4419132c4cf8510c13e958f0f wpt-pr: 21528

…as credentials, a=testonly Automatic update from web-platform-tests ServiceWorkerSingleScriptUpdateChecker has credentials Before the new byte-for-byte checking, credentials_mode was set to kInclude for imported scripts. However, ServiceWorkerSingleScriptUpdateChecker sets the flag to kOmit because it's missed from the current spec. This CL is to correct the mode to fix the unintentional change. Spec issue: w3c/ServiceWorker#1497 Bug: 1042159 Change-Id: I553d7bec015eb4cb80f7f59c640f26491fa02b75 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2032689 Reviewed-by: Hiroki Nakagawa <nhirokichromium.org> Commit-Queue: Makoto Shimazu <shimazuchromium.org> Cr-Commit-Position: refs/heads/master{#737253} -- wpt-commits: acc51c1f9cb98db4419132c4cf8510c13e958f0f wpt-pr: 21528 UltraBlame original commit: e52a0f3b0f4edb3b614ad50b400d26bbcdd3f20e

…as credentials, a=testonly Automatic update from web-platform-tests ServiceWorkerSingleScriptUpdateChecker has credentials Before the new byte-for-byte checking, credentials_mode was set to kInclude for imported scripts. However, ServiceWorkerSingleScriptUpdateChecker sets the flag to kOmit because it's missed from the current spec. This CL is to correct the mode to fix the unintentional change. Spec issue: w3c/ServiceWorker#1497 Bug: 1042159 Change-Id: I553d7bec015eb4cb80f7f59c640f26491fa02b75 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2032689 Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org> Commit-Queue: Makoto Shimazu <shimazu@chromium.org> Cr-Commit-Position: refs/heads/master@{#737253} -- wpt-commits: acc51c1f9cb98db4419132c4cf8510c13e958f0f wpt-pr: 21528

Before the new byte-for-byte checking, credentials_mode was set to kInclude for imported scripts. However, ServiceWorkerSingleScriptUpdateChecker sets the flag to kOmit because it's missed from the current spec. This CL is to correct the mode to fix the unintentional change. Spec issue: w3c/ServiceWorker#1497 Bug: 1042159 Change-Id: I553d7bec015eb4cb80f7f59c640f26491fa02b75 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2032689 Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org> Commit-Queue: Makoto Shimazu <shimazu@chromium.org> Cr-Commit-Position: refs/heads/master@{#737253} (cherry picked from commit 20aa9a3) TBR=shimazu@chromium.org Change-Id: I553d7bec015eb4cb80f7f59c640f26491fa02b75 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2037842 Reviewed-by: Krishna Govind <govind@chromium.org> Reviewed-by: Makoto Shimazu <shimazu@chromium.org> Commit-Queue: Makoto Shimazu <shimazu@chromium.org> Cr-Commit-Position: refs/branch-heads/4044@{chromium#45} Cr-Branched-From: a6d9daf-refs/heads/master@{#737173}

chromium-wpt-export-bot mentioned this issue Jan 31, 2020

ServiceWorkerSingleScriptUpdateChecker has credentials web-platform-tests/wpt#21528

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Credentials on scripts imported by importScripts() #1497

Credentials on scripts imported by importScripts() #1497

makotoshimazu commented Jan 15, 2020

mfalken commented Jan 17, 2020

annevk commented Jan 17, 2020

annevk commented Jan 17, 2020

domenic commented Jan 17, 2020

Credentials on scripts imported by importScripts() #1497

Credentials on scripts imported by importScripts() #1497

Comments

makotoshimazu commented Jan 15, 2020

mfalken commented Jan 17, 2020

annevk commented Jan 17, 2020

annevk commented Jan 17, 2020

domenic commented Jan 17, 2020