corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 1822699 - Use credentials="same origin" for dynamic import scripts in a classic worker script. r=jonco

Browse Source 
HostLoadImportedModule,
https://html.spec.whatwg.org/multipage/webappapis.html#hostloadimportedmodule

<spec>
6. If referrer is a Script Record or a Module Record, then:
   3. Set fetchOptions to the descendant script fetch options for
      referencingScript's fetch options.
</spec>

And the referencingScript can be either:
  - a classic worker script.
  - a module worker script.

For the classic worker script, its fetch options are defined in
'fetch a classic worker script'
https://html.spec.whatwg.org/multipage/webappapis.html#fetch-a-classic-worker-script
See the algorithm processResponseConsumeBody

  <spec>
  5. Let script be the result of creating a classic script using
     source text, script settings object, response's URL, and the
     default classic script fetch options.
  </spec>

  Default classic script fetch options
  https://html.spec.whatwg.org/multipage/webappapis.html#default-classic-script-fetch-options

  <spec>
  The default classic script fetch options are a script fetch options
  whose ... credentials mode is "same-origin", ....
  </spec>

For the module worker script, its fetch options are defined in
'fetch a worklet/module worker script graph'

https://html.spec.whatwg.org/multipage/webappapis.html#fetch-a-worklet/module-worker-script-graph

<spec>
1. Let options be a script fetch options whose ... credentials mode is
   _credentials mode_ ...
</spec>

where _credentials mode_ is provided when a worklet or a module worker
is created.

Differential Revision: https://phabricator.services.mozilla.com/D180088
This commit is contained in:
Yoshi Cheng-Hao Huang
2023-06-07 07:54:56 +00:00
parent 3fd03a3ae5
commit b62ed704ef
3 changed files with 12 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
dom/workers/ScriptLoader.cpp
View File

@@ -945,9 +945,18 @@ nsresult WorkerScriptLoader::LoadScript(
: request->ReferrerPolicy();
referrerInfo = new ReferrerInfo(request->mReferrer, policy);
rv = GetModuleSecFlags(
loadContext->IsTopLevel(), principal, mWorkerScriptType,
request->mURI, mWorkerRef->Private()->WorkerCredentials(), secFlags);
// https://html.spec.whatwg.org/multipage/webappapis.html#default-classic-script-fetch-options
// The default classic script fetch options are a script fetch options
// whose ... credentials mode is "same-origin", ....
RequestCredentials credentials =
mWorkerRef->Private()->WorkerType() == WorkerType::Classic
? RequestCredentials::Same_origin
: mWorkerRef->Private()->WorkerCredentials();
rv = GetModuleSecFlags(loadContext->IsTopLevel(), principal,
mWorkerScriptType, request->mURI, credentials,
secFlags);
} else {
referrerInfo = ReferrerInfo::CreateForFetch(principal, nullptr);
if (parentWorker && !loadContext->IsTopLevel()) {