Skip to content

Commit

Permalink
Change how module scripts are fetched
Browse files Browse the repository at this point in the history 
* Module scripts are always fetched with request credentials mode
  "same-origin" by default, instead of the previous default of "omit".
  Only worker module scripts can still set that to "omit", using the
  credentials option to the Worker constructor. Non-worker module
  scripts, which only have the crossorigin="" attribute available, can
  only toggle between "same-origin" and "include", similar to how
  crossorigin="" works for other platform features.
* Similarly, import() statements inside of classic scripts now use the
  "same-origin" credentials mode, instead of "omit". This affects both
  <script> elements, where the default can be changed using
  crossorigin="", and other contexts like javascript: URLs and classic
  worker scripts, where the default cannot be changed.
* The top-level script for module workers is always fetched with request
  mode "same-origin". Cross-origin workers did not quite work due to
  service workers.

Fixes #2557. Fixes #3109.

Tests:

* web-platform-tests/wpt#11274
* web-platform-tests/wpt#13176
* web-platform-tests/wpt#13426
  • Loading branch information
@annevk @domenic
annevk authored and domenic committed Oct 9, 2018
1 parent a6c8281 commit 5fabb58
Showing 1 changed file with 9 additions and 5 deletions.
14 changes: 9 additions & 5 deletions source
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7120,8 +7120,6 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute

<dl class="switch">
<dt><span data-x="attr-crossorigin-none">No CORS</span></dt>
<dd>"<code data-x="">omit</code>"</dd>

<dt><span data-x="attr-crossorigin-anonymous">Anonymous</span></dt>
<dd>"<code data-x="">same-origin</code>"</dd>

Expand Down Expand Up @@ -86649,8 +86647,9 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
empty string, <span data-x="concept-script-fetch-options-parser">parser metadata</span> is "<code
data-x="">not-parser-inserted</code>", <span
data-x="concept-script-fetch-options-credentials">credentials mode</span> is "<code
data-x="">omit</code>", and <span data-x="concept-script-fetch-options-referrer-policy">referrer
policy</span> is the empty string.</p>
data-x="">same-origin</code>", and <span
data-x="concept-script-fetch-options-referrer-policy">referrer policy</span> is the empty
string.</p>

<p>Given a <span data-x="concept-request">request</span> <var>request</var> and a <span>script
fetch options</span> <var>options</var>, we define:</p>
Expand Down Expand Up @@ -87008,6 +87007,11 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
data-x="concept-request-client">client</span> is <var>fetch client settings
object</var>.</p></li>

<li><p>If <var>destination</var> is "<code data-x="">worker</code>" or "<code
data-x="">sharedworker</code>" and the <var>top-level module fetch</var> flag is set, then set
<var>request</var>'s <span data-x="concept-request-mode">mode</span> to "<code
data-x="">same-origin</code>".

<li><p><span>Set up the module script request</span> given <var>request</var> and
<var>options</var>.</p></li>

Expand Down Expand Up @@ -98182,7 +98186,7 @@ interface <dfn>Worker</dfn> : <span>EventTarget</span> {

dictionary <dfn>WorkerOptions</dfn> {
<span>WorkerType</span> type = "classic";
<span>RequestCredentials</span> credentials = "omit"; // credentials is only used if type is "module"
<span>RequestCredentials</span> credentials = "same-origin"; // credentials is only used if type is "module"
DOMString name = "";
};

Expand Down

1 comment on commit 5fabb58

@jjcm
Copy link

@jjcm jjcm commented on 5fabb58 Oct 30, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very happy to see this change. Good work @annevk and @domenic

Please sign in to comment.