Re: [whatwg/fetch] Define a cache for H2 server push & friends (#354)

(Ahh, email replies in github remain a real challenge.)

> I'm not sure how best to clarify the confusion, because there's only one
origin - it's a scheme/host/port tuple. It's the processing model that
varies, and that is the point.

I admit to not understanding your response at all.  Let me try to explain a little more about what I was talking about.

When a site makes a request (maybe by invoking `fetch`), the origin of that site is relevant.  Let's call that A.  The target of that request (ignoring redirects) is also relevant because it determines whether that request is same origin or not.  Let's call that B.  But in the push case, the target of a cross-origin fetch can also push cross-origin.  Let's call that C.  These might all be different (a page from https://example.com makes a request to https://example.net which pushes https://api.example.net for example), but some might be the same as others.  The one that bothers me most is where C==A.

If this is what you refer to when you talk about "an initiation of fetch has a context (in the page and origin) that exceeds the available information in a PUSH PROMISE", then we're probably just in agreement on the need to walk through the wrinkles.

> The coalescing of HTTP/2 does not mean that
you can skip the processing model of Fetch or CORS - as to do so would
undermine the security properties and principles that the SOP is designed
to protect.

I didn't mean to imply skipping any checks.  The opposite in fact.  I meant to observe that you don't need to skip any checks at all and that by doing so you achieve a system with similar - though maybe not identical - properties to one where sites can request that the browser fetch things (i.e., the one we have today).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/354#issuecomment-282602863