JavaScript Modules: Credentials mode defaults to "same-origin"

The default credentials mode for module script requests is changing from "omit" to "same-origin", providing credentials to same-origin module script requests and their descendant scripts (static & dynamic imports). The current behavior can be surprising in that it's misaligned with other high-level features like the Fetch API, and in the web platform's current architecture, causes a second server connection. This is undesirable for developers looking to reduce latency.

Specification

Editor's draft

Status in Chromium

Blink components: Blink>HTML>Script

Enabled by default (tracking bug) in:

Chrome for desktop release 71
Chrome for Android release 71
Chrome for iOS release 71
Opera release 58
Opera for Android release 58

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: Shipped
Edge: No public signals
Safari: No public signals
Web Developers: Positive

Owner

domfarolino@gmail.com

Last updated on 2018-10-06