v1.9.528 doesn't include credentials on chrome

[tsalufe]

We had this code to get pdf through authenticated url
PDFJS.getDocument(url)
that breaks with version 1.9.528 on Chrome because it doesn't include CSRF-TOKEN in the request. However, it works on firefox and safari. Now I have to fix it by enforce withCredentials: true. Does new version set the default of withCredentials to false?

[yurydelendik]

We are switching to more efficient fetch() instead of XHR. The defaults might change, let us know which default in https://developer.mozilla.org/en-US/docs/Web/API/Request/Request affects CSRF-TOKEN. If it's possible we will try to address this. Also notice that we don't want to make PDF.js less secure (even if we supported this in the past)

[tsalufe]

I'm not sure about that. Maybe credentials ?

credentials: The request credentials you want to use for the request: omit, same-origin, or include. The default is omit. In Chrome the default is same-origin before Chrome 47 and include starting with Chrome 47.

[mukulmishra18]

I'm not sure about that. Maybe credentials ?

We are including credentials, if withCredentials is set, see:

pdf.js/src/display/fetch_stream.js

Line 29 in 9b14f8e

credentials: withCredentials ? 'include' : 'omit',

I think that is why it works when you set withCredentials: true.

[tsalufe]

I think so.

[yurydelendik]

Okay, from reading https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials, I have impression that to be compatible with XHR we need to use 'same-origin' instead of 'omit' there. I think it is safe in our context.

[tsalufe]

I think include definitely works for me since it's the setting of credentials when I set withCredentials to true. same-origin might limit the pdf on the same site, i.e not allowing authenticated access to pdf's on another site?

[yurydelendik]

same-origin might limit the pdf on the same site, i.e not allowing authenticated access to pdf's on another site

That's how XHR worked before we introduced fetch().