Re: [ServiceWorker] Define some way for foreign fetch to decide on opaqueness of responses (#841) from Anne van Kesteren on 2016-02-29 (public-webapps-github@w3.org from February 2016)

From: Anne van Kesteren <notifications@github.com>
Date: Mon, 29 Feb 2016 00:40:35 -0800
To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Message-ID: <slightlyoff/ServiceWorker/issues/841/190103784@github.com>

The foreign fetch service worker is always fetched with credentials. CORS requests are either with or without credentials. But even for CORS requests without credentials, we'll use the foreign fetch service worker (fetched with credentials). Therefore we want to be absolutely sure that it wants to share a response.

Furthermore, if the foreign fetch service worker itself fetched something cross-origin and wants to share that, this will make that easy where "just use CORS" requires repackaging in a synthetic response.

Having an explicit programmatic security protocol should help with all that. Repackaging responses to include the correct headers is not a great API or the way to go.

---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/841#issuecomment-190103784

Received on Monday, 29 February 2016 08:41:08 UTC