JavaScript Modules: Credentials mode defaults to "same-origin"

The default credentials mode for module script requests is changing from "omit" to "same-origin", providing credentials to same-origin module script requests and their descendant scripts (static & dynamic imports). The current behavior can be surprising in that it's misaligned with other high-level features like the Fetch API, and in the web platform's current architecture, causes a second server connection. This is undesirable for developers looking to reduce latency.

Specification

Editor's draft

Status in Chromium

Blink components: Blink>HTML>Script

Enabled by default (tracking bug) in:

Chrome for desktop release 72
Chrome for Android release 72
Android WebView release 72

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: Shipped
Edge: No public signals
Safari: No public signals
Web Developers: Positive

Owner

domfarolino@gmail.com

Last updated on 2019-02-07