Make fetch() use "same-origin" credentials by default #585
Conversation
Most features in the platform have this default and not having this default causes multiple connections in contemporary implementations. It also causes confusion as switching from XMLHttpRequest to fetch() is not as seamless as it could be. Making this change will also make it easier for <script type=module> to have this default as per discussion in whatwg/html#2557.
Even though I have followed the |
I agree that this is a more reasonable default, but also much concerned with possible break of existing apps, though your guess at whatwg/html#2557 (comment) sounds correct. |
I've reached out to devs on Twitter. Response is almost entirely positive. One exception: https://twitter.com/rsjanabasis/status/901012433615020033, and I believe they're going to give us details. |
Thanks Jake for checking. It's good that it's supported. And, yeah, that looks really one example of the concern. |
IIUC, changing the default from "omit" to "same-origin" can only mean that credentials are sometimes sent when they otherwise would not be. For resources where it makes a difference at all, it seems rather unusual that the no-credentials response is the one that you want, but that the with-credentials response is some broken/unexpected resource. Certainly possible to create, and certain to appear in the wild given enough time, but are there cases we should worry about? Overall, the compat risk here seems very low. |
If we are going to do this it would be nice to try to coordinate shipping the change around the same time. |
Okay, I'll file four implementation bugs. My thinking is that we can update the tests as part of changing the implementation. Easiest to discover all the tests that need changing that way. Is that okay or should I try and prepare test updates? |
That seems like a good idea where testing without an implementation is error-prone, just leave an open "missing tests" issue and point to it from the impl bugs. |
I was thinking I'd just leave this open until we have a patch or two and no objections. |
Yeah, that works too. If we have a buildup of "awaiting implementation" issues I guess labels can alleviate that. |
Thanks, Philip. I'd like to wait and hear the details of what Foggy said in the tweet quoted in #585 (comment). But except for that, I share your analysis basically. |
I want to make sure that we can block sending credentials by appropriately filtering the request. For example, if we shadow "fetch" with safe_fetch: |
Right. The topic is about changing the default which is used when the credentials parameter is not specified. You can still explicitly specify the credentials parameter with the value (Your example doesn't inherit values from |
I'd write
|
Is there anything remaining that would block this from being implemented? I'd like this to be done so we can align JavaScript modules with this default and avoid a ton of confusion there. |
Yes, that's better.
…On Wed, Aug 30, 2017 at 12:53 AM, Anne van Kesteren < ***@***.***> wrote:
I'd write safe_fetch as:
function safe_fetch(input, init) {
const tempRequest = new Request(input, init);
return fetch(tempRequest, { credentials: "omit" });
}
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#585 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AeAEaN34lgLJX836Hcxw0clTLFTPsrCHks5sdRTcgaJpZM4PCWLF>
.
|
Thanks Foggy. So, I'm fine with the plan now. |
Okay, I'll merge this as soon as one of the bugs above gets marked fixed and web-platform-tests is updated. |
The browsers currently do not default to same-origin behaviour for modules, so we need to be explicit in order for necessary credentials to be passed along. This seems to be changing though, but we need to wait for the browsers to actually roll out more lenient defaults: whatwg/fetch#585
It seems like WPTs are one of the things holding this PR and Mozilla's implementation back (given https://bugs.chromium.org/p/chromium/issues/detail?id=759543#c7). I'm happy to work on this if nobody else has started. |
@domfarolino created web-platform-tests changes in web-platform-tests/wpt#9911 and is planning to go ahead in Chrome. (Unfortunately there isn't much test coverage for this today.) I wonder if we should simultaneously change module workers since that's the only other feature that exposes this default at the moment. @domfarolino what do you think? |
(And I guess that aspect of the feature isn't tested then? @domenic?) |
Yes, I happened to be checking in FF nightly when I responded earlier. But AFAICT it's already in FF stable -- v61 from a few weeks ago. So apparently I just happened to get caught by this in the gap (about a month, it seems?) between FF and Chrome going stable with it. Anyone know when Safari will be updating this (stable)? |
Definitely something for @youennf |
It was changed in whatwg/fetch#585 but it'd be better not to depend on it now.
@Andreas-Hjortland thanks for taking the time to point that out, please see #901 for a discussion. In particular, it's indeed confusing, but is distinct from the API. |
Ensure we set `credentials: 'same-origin'` so that all browsers send credentials on fetch requests, but only for same-origin requests. This is to address an issue with FF ESR (60) which was not sending credentials. Other browser default to 'same-origin', but FF ESR requires it explicitly. This behaviour was changed to match other browsers from FF61: whatwg/fetch#585 (comment)
Ensure we set `credentials: 'same-origin'` so that all browsers send credentials on fetch requests, but only for same-origin requests. This is to address an issue with FF ESR (60) which was not sending credentials. Other browser default to 'same-origin', but FF ESR requires it explicitly. This behaviour was changed to match other browsers from FF61: whatwg/fetch#585 (comment)
Most features in the platform have this default and not having this default causes multiple connections in contemporary implementations. It also causes confusion as switching from XMLHttpRequest to fetch() is not as seamless as it could be.
Making this change will also make it easier for <script type=module> to have this default as per discussion in whatwg/html#2557.
Preview | Diff