Hello,
Over in https://bugzilla.mozilla.org/show_bug.cgi?id=1881800 I changed
fetch() and XMLHttpRequest uses from chrome privileged ("system principal")
code to default to not sending any "credentials" (primarily: cookies).
This does not affect web content, not least because it is directly counter
to the spec! The webidl bits have been updated to call this out.
If it's directly counter to the spec and how the web behaves - why make
this change?
Well, because most background requests that Firefox makes (e.g. to check
for or download application updates, update other data like safebrowsing or
certificate lists, or user add-ons, determine if the device is subject to a
wifi captive portal, etc. etc.) are meant to be anonymous and do not rely
on cookies.
We have run audits in the past to make sure such requests explicitly
disable sending cookies, and so this shouldn't immediately lead to a change
in behaviour - but changing the default makes it less likely to
unnecessarily send them in the future, and easier to identify cases where
sending credentials is intentional (e.g. logging into accounts, explicitly
repeating past “normal” website requests from inside devtools, etc.).
If you do need to send credentials, you can explicitly specify optional
arguments to fetch ({credentials: “same-origin”}) and XHR ({mozAnon: false})
to continue sending them.
Thanks,
Gijs
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CACWru5bq%2BPSVjfLewndGX2w5OxcJKkfj4kuZstbcpLTvYwbhuQ%40mail.gmail.com.
