Skip to content

Commit

Permalink
Bug 1493449. Change the default credentials mode for module scripts f…
Browse files Browse the repository at this point in the history 
…rom 'omit' to 'same-origin'. r=farre

The tests come directly from
web-platform-tests/wpt#13176 and
web-platform-tests/wpt#13245

Differential Revision: https://phabricator.services.mozilla.com/D7113

UltraBlame original commit: e2ec1eeb812d2a3178c303e9ba5538e0d2264bec
  • Loading branch information
@marco-c
marco-c committed Oct 3, 2019
1 parent d1d35df commit ebbe4b4
Show file tree
Hide file tree
Showing 7 changed files with 113 additions and 25 deletions.
5 changes: 2 additions & 3 deletions dom/script/ScriptLoader.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1070,9 +1070,8 @@ ScriptLoader::StartLoad(ScriptLoadRequest* aRequest)


securityFlags = nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS;
if (aRequest->CORSMode() == CORS_NONE) {
securityFlags |= nsILoadInfo::SEC_COOKIES_OMIT;
} else if (aRequest->CORSMode() == CORS_ANONYMOUS) {
if (aRequest->CORSMode() == CORS_NONE ||
aRequest->CORSMode() == CORS_ANONYMOUS) {
securityFlags |= nsILoadInfo::SEC_COOKIES_SAME_ORIGIN;
} else {
MOZ_ASSERT(aRequest->CORSMode() == CORS_USE_CREDENTIALS);
Expand Down
4 changes: 4 additions & 0 deletions ...pting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials.sub.html.ini
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[dynamic-imports-credentials.sub.html]
[Dynamic imports should be loaded with or without the credentials based on the same-origin-ness and the parent script's crossOrigin attribute]
expected: FAIL
bug: 1342012
1 change: 1 addition & 0 deletions ...pting-1/the-script-element/module/dynamic-import/dynamic-imports-fetch-error.sub.html.ini
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
[dynamic-imports-fetch-error.sub.html]
[import(): error cases occuring during fetching]
expected: FAIL
bug: 1342012
32 changes: 16 additions & 16 deletions ...-platform/tests/html/semantics/scripting-1/the-script-element/module/credentials.sub.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,31 +39,31 @@
}).then(() => {
const w = iframe.contentWindow;

assert_equals(w.sameOriginNone, 'not found',
'Modules should be loaded without the credentials when the crossOrigin attribute is not specified and the target is same-origin');
assert_equals(w.sameOriginNone, 'found',
'Modules should be loaded with the credentials when the crossOrigin attribute is not specified and the target is same-origin');
assert_equals(w.sameOriginAnonymous, 'found',
'Modules should be loaded with the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is same-origin');
assert_equals(w.sameOriginUseCredentials, 'found',
'Modules should be loaded with the credentials when the crossOrigin attribute is specified with "use-credentials" as its value and the target is same-origin');
assert_equals(w.crossOriginNone, 'not found',
'Modules should be loaded without the credentials when the crossOrigin attribute is not specified and the target is cross-origin');
'Modules should not be loaded with the credentials when the crossOrigin attribute is not specified and the target is cross-origin');
assert_equals(w.crossOriginAnonymous, 'not found',
'Modules should be loaded without the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is cross-origin');
'Modules should not be loaded with the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is cross-origin');
assert_equals(w.crossOriginUseCredentials, 'found',
'Modules should be loaded with the credentials when the crossOrigin attribute is specified with "use-credentials" as its value and the target is cross-origin');

assert_equals(w.sameOriginNoneDecendent, 'not found',
'Decendent modules should be loaded without the credentials when the crossOrigin attribute is not specified and the target is same-origin');
assert_equals(w.sameOriginAnonymousDecendent, 'found',
'Decendent modules should be loaded with the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is same-origin');
assert_equals(w.sameOriginUseCredentialsDecendent, 'found',
'Decendent modules should be loaded with the credentials when the crossOrigin attribute is specified with "use-credentials" as its value and the target is same-origin');
assert_equals(w.crossOriginNoneDecendent, 'not found',
'Decendent modules should be loaded without the credentials when the crossOrigin attribute is not specified and the target is cross-origin');
assert_equals(w.crossOriginAnonymousDecendent, 'not found',
'Decendent modules should be loaded without the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is cross-origin');
assert_equals(w.crossOriginUseCredentialsDecendent, 'found',
'Decendent modules should be loaded with the credentials when the crossOrigin attribute is specified with "use-credentials" as its value and the target is cross-origin');
assert_equals(w.sameOriginNoneDescendant, 'found',
'Descendant modules should be loaded with the credentials when the crossOrigin attribute is not specified and the target is same-origin');
assert_equals(w.sameOriginAnonymousDescendant, 'found',
'Descendant modules should be loaded with the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is same-origin');
assert_equals(w.sameOriginUseCredentialsDescendant, 'found',
'Descendant modules should be loaded with the credentials when the crossOrigin attribute is specified with "use-credentials" as its value and the target is same-origin');
assert_equals(w.crossOriginNoneDescendant, 'not found',
'Descendant modules should not be loaded with the credentials when the crossOrigin attribute is not specified and the target is cross-origin');
assert_equals(w.crossOriginAnonymousDescendant, 'not found',
'Descendant modules should not be loaded with the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is cross-origin');
assert_equals(w.crossOriginUseCredentialsDescendant, 'found',
'Descendant modules should be loaded with the credentials when the crossOrigin attribute is specified with "use-credentials" as its value and the target is cross-origin');
});
}, 'Modules should be loaded with or without the credentials based on the same-origin-ness and the crossOrigin attribute');
</script>
Expand Down
58 changes: 58 additions & 0 deletions ...scripting-1/the-script-element/module/dynamic-import/dynamic-imports-credentials.sub.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
<!DOCTYPE html>
<meta charset="utf-8">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>

<script type="text/javascript">
host_info = get_host_info();

document.cookie = 'same=1';

const setCookiePromise = fetch(
'http://{{domains[www2]}}:{{ports[http][0]}}/cookies/resources/set-cookie.py?name=cross&path=/html/semantics/scripting-1/the-script-element/module/',
{
mode: 'no-cors',
credentials: 'include',
});

const windowLoadPromise = new Promise(resolve => {
window.addEventListener('load', () => {
resolve();
});
});

promise_test(t => {
const iframe = document.createElement('iframe');

return Promise.all([setCookiePromise, windowLoadPromise]).then(() => {
const messagePromise = new Promise(resolve => {
window.addEventListener('message', event => {
resolve();
});
});

iframe.src = '../resources/dynamic-import-credentials-iframe.sub.html';
document.body.appendChild(iframe);

return messagePromise;
}).then(() => {
const w = iframe.contentWindow;

assert_equals(w.sameOriginNoneDynamicDescendant, 'found',
'Dynamic descendant modules should be loaded with the credentials when the crossOrigin attribute is not specified and the target is same-origin');
assert_equals(w.sameOriginAnonymousDynamicDescendant, 'found',
'Dynamic descendant modules should be loaded with the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is same-origin');
assert_equals(w.sameOriginUseCredentialsDynamicDescendant, 'found',
'Dynamic descendant modules should be loaded with the credentials when the crossOrigin attribute is specified with "use-credentials" as its value and the target is same-origin');
assert_equals(w.crossOriginNoneDynamicDescendant, 'not found',
'Dynamic descendant modules should not be loaded with the credentials when the crossOrigin attribute is not specified and the target is cross-origin');
assert_equals(w.crossOriginAnonymousDynamicDescendant, 'not found',
'Dynamic descendant modules should not be loaded with the credentials when the crossOrigin attribute is specified with "anonymous" as its value and the target is cross-origin');
assert_equals(w.crossOriginUseCredentialsDynamicDescendant, 'found',
'Dynamic descendant modules should be loaded with the credentials when the crossOrigin attribute is specified with "use-credentials" as its value and the target is cross-origin');
});
}, 'Dynamic imports should be loaded with or without the credentials based on the same-origin-ness and the parent script\'s crossOrigin attribute');
</script>
<body>
</body>
12 changes: 6 additions & 6 deletions ...tml/semantics/scripting-1/the-script-element/module/resources/credentials-iframe.sub.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,22 +25,22 @@
</script>

<script type="module">
import "./check-cookie.py?id=sameOriginNoneDecendent&cookieName=same";
import "./check-cookie.py?id=sameOriginNoneDescendant&cookieName=same";
</script>
<script type="module" crossOrigin="anonymous">
import "./check-cookie.py?id=sameOriginAnonymousDecendent&cookieName=same";
import "./check-cookie.py?id=sameOriginAnonymousDescendant&cookieName=same";
</script>
<script type="module" crossOrigin="use-credentials">
import "./check-cookie.py?id=sameOriginUseCredentialsDecendent&cookieName=same";
import "./check-cookie.py?id=sameOriginUseCredentialsDescendant&cookieName=same";
</script>
<script type="module">
import "http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginNoneDecendent&cookieName=cross";
import "http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginNoneDescendant&cookieName=cross";
</script>
<script type="module" crossOrigin="anonymous">
import "http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginAnonymousDecendent&cookieName=cross";
import "http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginAnonymousDescendant&cookieName=cross";
</script>
<script type="module" crossOrigin="use-credentials">
import "http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginUseCredentialsDecendent&cookieName=cross";
import "http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginUseCredentialsDescendant&cookieName=cross";
</script>

<script type="text/javascript">
Expand Down
26 changes: 26 additions & 0 deletions ...cripting-1/the-script-element/module/resources/dynamic-import-credentials-iframe.sub.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
<!DOCTYPE html>
<script type="module">
import("./check-cookie.py?id=sameOriginNoneDynamicDescendant&cookieName=same");
</script>
<script type="module" crossOrigin="anonymous">
import("./check-cookie.py?id=sameOriginAnonymousDynamicDescendant&cookieName=same");
</script>
<script type="module" crossOrigin="use-credentials">
import("./check-cookie.py?id=sameOriginUseCredentialsDynamicDescendant&cookieName=same");
</script>
<script type="module">
import("http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginNoneDynamicDescendant&cookieName=cross");
</script>
<script type="module" crossOrigin="anonymous">
import("http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginAnonymousDynamicDescendant&cookieName=cross");
</script>
<script type="module" crossOrigin="use-credentials">
import("http://{{domains[www2]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/check-cookie.py?id=crossOriginUseCredentialsDynamicDescendant&cookieName=cross");
</script>


<script type="text/javascript">
window.addEventListener('load', event => {
window.parent.postMessage({}, '*');
});
</script>

0 comments on commit ebbe4b4

Please sign in to comment.