commit 9ba0186365f361d33bbb841c12c27a8b0eb75fb6 parent 83c1e67c3530aada4f2bf4dfb1be41bdacd92773 Author: Maxx Crawford <mcrawford@mozilla.com> Date: Wed, 17 Dec 2025 16:34:15 +0000 Bug 2004965 - Remove credentials field from MARS request body r=home-newtab-reviewers,mconley The credentials: "omit" field was erroneously placed inside the JSON request body for MARS (unified ads) endpoints in TopSitesFeed and AdsFeed. The MARS server does not recognize this field, and it should be at the fetch options level instead (alongside method, headers, signal). Differential Revision: https://phabricator.services.mozilla.com/D276737 Diffstat:
4 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/browser/extensions/newtab/lib/AdsFeed.sys.mjs b/browser/extensions/newtab/lib/AdsFeed.sys.mjs @@ -358,8 +358,8 @@ export class AdsFeed { context_id: await lazy.ContextId.request(), placements, blocks: blockedSponsors.split(","), - credentials: "omit", }), + credentials: "omit", signal, }; diff --git a/browser/extensions/newtab/lib/TopSitesFeed.sys.mjs b/browser/extensions/newtab/lib/TopSitesFeed.sys.mjs @@ -707,8 +707,8 @@ export class ContileIntegration { count: countsArray[index], })), blocks: blockedSponsors.split(","), - credentials: "omit", }), + credentials: "omit", signal, }; diff --git a/browser/extensions/newtab/test/xpcshell/test_AdsFeed.js b/browser/extensions/newtab/test/xpcshell/test_AdsFeed.js @@ -604,5 +604,12 @@ add_task(async function test_fetchData_OHTTP() { Assert.ok(ObliviousHTTP.ohttpRequest.calledOnce); Assert.deepEqual(result.tiles[0].id, "test1"); + info("AdsFeed: fetchData() should not send cookies"); + Assert.equal( + ObliviousHTTP.ohttpRequest.firstCall.args[3].credentials, + "omit", + "should not send cookies" + ); + sandbox.restore(); }); diff --git a/browser/extensions/newtab/test/xpcshell/test_TopSitesFeed.js b/browser/extensions/newtab/test/xpcshell/test_TopSitesFeed.js @@ -2792,6 +2792,14 @@ add_task(async function test_ContileIntegration() { Assert.ok(fetched); Assert.equal(feed._contile.sites.length, 2); + + info("TopSitesFeed._fetchSites should not send cookies"); + Assert.ok(fetchStub.calledOnce, "fetch should be called once"); + Assert.equal( + fetchStub.firstCall.args[1].credentials, + "omit", + "should not send cookies" + ); sandbox.restore(); } @@ -3513,6 +3521,9 @@ add_task(async function test_ContileIntegration() { "Sent the x-geo-location header from preflight" ); + info("TopSitesFeed._fetchSites should not send cookies via OHTTP"); + Assert.equal(callArgs[3].credentials, "omit", "should not send cookies"); + Services.prefs.clearUserPref( "browser.newtabpage.activity-stream.discoverystream.ohttp.relayURL" );