BREAKING: iOS: Support withCredentials flag in XHRs

[rigdern]

Corresponding Android PR: #12276

Respect the withCredentials XMLHttpRequest flag for sending cookies with requests. This can reduce payload sizes where large cookies are set for domains.

This should fix #5347.

This is a breaking change because it alters the default behavior of XHR. Prior to this change, XHR would send cookies by default. After this change, by default, XHR does not send cookies which is consistent with the default behavior of XHR on web for cross-site requests. Developers can restore the previous behavior by passing true for XHR's withCredentials argument.

Test plan (required)

Verified in a test app that XHR works properly when specifying withCredentials as true, false, and undefined. Also, my team uses this change in our app.

Adam Comella
Microsoft Corp.

[mkonicek]

Docs on withCredentials here: https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials

Looks good. Thanks for adding the "BREAKING" prefix.

[facebook-github-bot]

@mkonicek has imported this pull request. If you are a Facebook employee, you can view this diff on Phabricator.

[matt-42]

It seems like this conversion [1] does not work as expected. It always gives false, at least on the IOS simulator. This completely breaks cookies on IOS for 0.44.

[1] https://github.com/rigdern/react-native/blob/1b680213628ca9df3622acc9b67b49dcd6f6c30b/Libraries/Network/RCTNetworking.mm#L233

[Benjamin-Dobell]

Very breaking indeed 😉 I didn't find mention to this change in the release notes even though it's a breaking change. Took me a while to find out what was going on.

However, I think things are little more broken than intended.

The fetch API is presently (in 0.44.0) not functioning correctly. The following:

fetch(url, {credentials: 'include'})

does not work. Instead the following is required:

fetch(url, {credentials: 'include', withCredentials: true})

Note the inclusion of withCredentials: true. withCredentials does not correspond to a fetch API property.

[rigdern]

I just tested this in React Native 0.44 and everything seems to be working.

@matt-42 Are you setting withCredentials to true when constructing your XMLHttpRequest object?

@Benjamin-Dobell Things worked for me when using fetch(url, {credentials: 'include'}). Are you sure you are using the fetch polyfill that ships with React Native? I looked into how fetch and credentials work in React Native and it seems it just sets withCredentials on an XMLHttpRequest:

• React Native publishes fetch as a global here by importing the fetch module.
• The fetch module uses the npm packages whatwg-fetch as can be seen here.
• Looking at the implementation of whatwg-fetch, you can see it's built on top of XMLHttpRequest and sets withCredentials based on the value of credentials.

If you can provide more details about what's broken for you, I can look into it. As far as I can tell, everything is working as expected.

I'll see if I can get this added to the breaking change list so it doesn't surprise other people.