PSA: using fetch() or new XMLHttpRequest() from Firefox's privileged (chrome) code will now not send cookies / credential information by default

235 views
Skip to first unread message

Gijs Kruitbosch

unread,
Apr 2, 2024, 6:25:05 PMApr 2
to firefox-dev, dev-platform

Hello,

Over in https://bugzilla.mozilla.org/show_bug.cgi?id=1881800 I changed fetch() and XMLHttpRequest uses from chrome privileged ("system principal") code to default to not sending any "credentials" (primarily: cookies).

This does not affect web content, not least because it is directly counter to the spec! The webidl bits have been updated to call this out.

If it's directly counter to the spec and how the web behaves - why make this change?

Well, because most background requests that Firefox makes (e.g. to check for or download application updates, update other data like safebrowsing or certificate lists, or user add-ons, determine if the device is subject to a wifi captive portal, etc. etc.) are meant to be anonymous and do not rely on cookies.

We have run audits in the past to make sure such requests explicitly disable sending cookies, and so this shouldn't immediately lead to a change in behaviour - but changing the default makes it less likely to unnecessarily send them in the future, and easier to identify cases where sending credentials is intentional (e.g. logging into accounts, explicitly repeating past “normal” website requests from inside devtools, etc.).

If you do need to send credentials, you can explicitly specify optional arguments to fetch ({credentials: “same-origin”}) and XHR ({mozAnon: false}) to continue sending them.

Thanks,
Gijs


Reply all
Reply to author
Forward
0 new messages