[whatwg/fetch] Allow custom headers on no-cors requests (#380) from Ingvar Stepanyan on 2016-09-01 (public-webapps-github@w3.org from September 2016)

From: Ingvar Stepanyan <notifications@github.com>
Date: Thu, 01 Sep 2016 10:29:53 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/380@github.com>

*(posting this as a result of Twitter discussion with @annevk)*

Current state:

Most of the page resource requests are `no-cors` by default, even if to the same origin.

If `no-cors` request was made to the same origin, you can read its response, however you can't set custom request headers. In particular, it makes hard to add specific metadata in Service Worker to be used by server-side for customized response that only Service Worker can handle.

This is possible to workaround by passing custom values under the allowed header names, but it would be unclean and pretty limited solution.

Another option is to (re)issue request with `cors` or `same-origin` mode in addition to modified headers if origin matches, but then you still opt into response errors should the origin decide to redirect to 3rd-party, which in unfavorable when writing Service Worker code that can be inserted to any website. So you still need to handle failure case and reissue original request should CORS error happen, which results in double-trip and weakens performance. (This all applies to adding `crossorigin` attribute to page resources as well).

If I understand correctly, the motivation for silently ignoring addition of custom headers to `no-cors` requests even to the same origin is exactly the fact that origin can redirect to 3rd party and browser would have to make that redirect with same custom headers, which now would violate CORS rules and is unacceptable from security point.

My suggestion is: allow addition of custom headers to such requests instead of silently ignoring them, but if the origin attempts to redirect to a 3rd-party, remove the disallowed headers from the further request hops (issued to the new origin).

This would simplify adding custom headers on page resources by 1) not ignoring headers at time of addition and 2) not forcing opt-in into errors caused by CORS.

This also doesn't weaken security - as was shown above, workarounds with double-trip with different modes are already possible, but they are less performant.

Thoughts?

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/380

Received on Thursday, 1 September 2016 18:13:02 UTC