Regarding source maps, I came across a strange behavior in chromium (build 181620). In my app I'm using minified jquery and after logging-in, I started seeing HTTP requests for "jquery.min.map" in server log file. Those requests were lacking cookie headers (all other requests were fine). Those requests are not even exposed in net tab in Developer tools (which doesn't bug me that much).

The point is, js files in this app are only supposed to be available to logged-in clients, so in this setup, the source maps either won't work or I'd have to change the location of source map to a public directory.

My question is: is this a desired behavior (meaning - source map requests should not send cookies) or is it a bug in Chromium?

The String InspectorFrontendHost::loadResourceSynchronously(const String& url) implementation in InspectorFrontendHost.cpp, which is called for loading sourcemap resources, uses the DoNotAllowStoredCredentials flag, which I believe results in the behavior you are observing.

This method is potentially dangerous, so this flag is there for us (you) to be on the safe side and avoid leaking sensitive data.

As a side note, giving jquery.min.js out only to logged-in users (that is, not from a cookieless domain) is not a very good idea to deploy in the production environment. I;m not sure about your idea behind this, but if you definitely need to avoid giving the file to clients not visiting your site, you may resort to checking the Referer HTTP request header.

I encountered this problem and became curious as to why certain authentication cookies were not sent in requests for .js.map files to our application.

In my testing using Chrome 71.0.3578.98, if the SameSite cookie atttribute is set to either strict or lax for a cookie, Chrome will not send that cookie when requesting the .js.map file. When there is no sameSite restriction, the cookie will be sent.

I'm not aware of any specification of the intended behavior.