Module scripts & credentials

Confirmed Issue #11865956 • Assigned to Jeff W.

Details

Author
Jake
Created
May 2, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

https://module-script-tests-zoelmqooyv.now.sh/cookie-page

Edge is fetching module scripts with credentials by default, which is against the spec (even for same origin urls).

Adding the crossorigin attribute should allow credentials to be sent same-origin, but in Edge it prevents sending them.

The correct output of the above page should be:

No random number cookie found.
Random number cookie is: 0.30567383219441924
Random number cookie is: 0.30567383219441924

(Obviously your random number will be different).

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Steven K.”

    • Btw you need to enable experiential JS for this feature.

    • Hi Jake,

      I want to make sure I understand this bug submission.  You are submitting two issues?

      1. Edge is including credentials (non HTTPOnly cookie in this case), in a same-origin request?
        https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

      Can you send a link to the standard specifying this behavior?

      1. Edge is preventing sending credentials for cross-origin requests even when the proper headers are set?

      In 15063.296 I get the following:

      Random number cookie is: 0.6790095925907849
      No random number cookie found.
      Random number cookie is: 0.6790095925907849

      In a recent developer build I get the following, I.e., showing #2 as being fixed.

      Random number cookie is: 0.3340016018227667
      Random number cookie is: 0.3340016018227667
      Random number cookie is: 0.3340016018227667

      Appreciate the help,

      The MS Edge Team

    • Microsoft Edge Team

      Changed Assigned To to “Travis L.”

      Changed Assigned To from “Travis L.” to “Jeff W.”

      Changed Status to “Confirmed”

    You need to sign in to your Microsoft account to add a comment.

    Sign in