# HG changeset patch
# User Boris Zbarsky <bzbarsky@mit.edu>
# Date 1538801353 0
# Node ID e2ec1eeb812d2a3178c303e9ba5538e0d2264bec
# Parent  3147b219ecc28435d75c59625571e75628c22711
Bug 1493449.  Change the default credentials mode for module scripts from 'omit' to 'same-origin'.  r=farre

Differential Revision: https://phabricator.services.mozilla.com/D7113

diff --git a/dom/script/ScriptLoader.cpp b/dom/script/ScriptLoader.cpp
--- a/dom/script/ScriptLoader.cpp
+++ b/dom/script/ScriptLoader.cpp
@@ -1012,19 +1012,18 @@ ScriptLoader::StartLoad(ScriptLoadReques
   nsIDocShell* docshell = window->GetDocShell();
   nsCOMPtr<nsIInterfaceRequestor> prompter(do_QueryInterface(docshell));
 
   nsSecurityFlags securityFlags;
   if (aRequest->IsModuleRequest()) {
     // According to the spec, module scripts have different behaviour to classic
     // scripts and always use CORS.
     securityFlags = nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS;
-    if (aRequest->mCORSMode == CORS_NONE) {
-      securityFlags |= nsILoadInfo::SEC_COOKIES_OMIT;
-    } else if (aRequest->mCORSMode == CORS_ANONYMOUS) {
+    if (aRequest->mCORSMode == CORS_NONE ||
+        aRequest->mCORSMode == CORS_ANONYMOUS) {
       securityFlags |= nsILoadInfo::SEC_COOKIES_SAME_ORIGIN;
     } else {
       MOZ_ASSERT(aRequest->mCORSMode == CORS_USE_CREDENTIALS);
       securityFlags |= nsILoadInfo::SEC_COOKIES_INCLUDE;
     }
   } else {
     securityFlags = aRequest->mCORSMode == CORS_NONE
       ? nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL