- From: hiroshige-g <notifications@github.com>
- Date: Tue, 18 Aug 2015 00:59:06 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/111@github.com>
Hi,
I encountered some questions while I'm implementing Fetch API + data scheme in Chromium/Blink.
Question 1: Are XHRs to data URLs intentionally prohibited, or just XHR's spec lacks same-origin data-URL flag setting or so?
(I expect the latter because I thought previously we could use XHRs to data URLs)
Fetch API + data URLs: fetch('data://...') is resolved for all modes because same-origin data-URL flag is set in Request() constructor.
However, all XHRs to 'data://...' are rejected according to the spec [https://xhr.spec.whatwg.org/], because same-origin data-URL flag is not set (and the default is "unset") and mode is CORS or CORS-with-forced-preflight.
Question 2: What is the intention of unsetting same-origin data-URL flag on redirect? Are redirects from HTTP(S) to data URLs intentionally allowed in no-cors mode?
Example: fetch('http://example.com/A') where the response from 'http://example.com/A' returns a 'Location: data://...' header.
In such cases, on redirect, same-origin data-URL flag is unset and thus fetch is rejected, except for when mode is "no-cors".
In "no-cors" mode, the case of <request's mode is "no-cors"> is applied and opaque response is returned.
Is "same-origin data-URL flag" introduced to forbid redirects to data URLs in general?
If so, such redirects should be rejected also in "no-cors" mode.
Related Chromium bugs:
Redirects to data URLs are intentionally forbidden in Chromium
(so perhaps redirects to data URLs in Fetch API will be also rejected):
https://code.google.com/p/chromium/issues/detail?id=64092
https://code.google.com/p/chromium/issues/detail?id=272072
Implementing Fetch API + data URLs:
https://code.google.com/p/chromium/issues/detail?id=521475
---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/111
Received on Tuesday, 18 August 2015 07:59:36 UTC