Re: [w3c/ServiceWorker] Credentials on scripts imported by importScripts() (#1497) from Domenic Denicola on 2020-01-17 (public-webapps-github@w3.org from January 2020)

From: Domenic Denicola <notifications@github.com>
Date: Fri, 17 Jan 2020 11:03:32 -0800
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/1497/575754226@github.com>

I agree with @annevk that I would expect it to use `"include"`. I suspect this was lost in a refactoring. Some research:

- [The earliest HTML commit snapshot](https://html.spec.whatwg.org/commit-snapshots/c9e804f04d03a0658bfa689cb0f368a4d2e37936/#dom-workerglobalscope-importscripts), before integration with the Fetch Standard, uses a "fetch" algorithm defined in HTML. That algorithm sends cookies by default unless invoked with the "block cookies" flag, which is not the case here.
- [This old revision](https://html.spec.whatwg.org/commit-snapshots/18b243aafe328f5cc2095ddfdcdabd585f74b026/#dom-workerglobalscope-importscripts) explicitly sets credentials mode to "include".

I would guess this got lost when introducing module scripts, but I didn't spend the time to confirm.

"same-origin" would be a nice tightening, but probably we should just go back to what the old spec says.

A spec pull request and web platform tests would be very welcome, if you have the time.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1497#issuecomment-575754226

Received on Friday, 17 January 2020 19:04:03 UTC