source map HTTP request does not send cookie header

Question

Regarding source maps, I came across a strange behavior in chromium (build 181620). In my app I'm using minified jquery and after logging-in, I started seeing HTTP requests for "jquery.min.map" in server log file. Those requests were lacking cookie headers (all other requests were fine). Those requests are not even exposed in net tab in Developer tools (which doesn't bug me that much).

The point is, js files in this app are only supposed to be available to logged-in clients, so in this setup, the source maps either won't work or I'd have to change the location of source map to a public directory.

My question is: is this a desired behavior (meaning - source map requests should not send cookies) or is it a bug in Chromium?

Answer 1

The String InspectorFrontendHost::loadResourceSynchronously(const String& url) implementation in InspectorFrontendHost.cpp, which is called for loading sourcemap resources, uses the DoNotAllowStoredCredentials flag, which I believe results in the behavior you are observing.

This method is potentially dangerous, so this flag is there for us (you) to be on the safe side and avoid leaking sensitive data.

As a side note, giving jquery.min.js out only to logged-in users (that is, not from a cookieless domain) is not a very good idea to deploy in the production environment. I;m not sure about your idea behind this, but if you definitely need to avoid giving the file to clients not visiting your site, you may resort to checking the Referer HTTP request header.