Re: [whatwg/fetch] consider failing same-origin fetch requests that get a cross-origin cors Response synthesized by a service worker (#629) from Ben Kelly on 2017-11-09 (public-webapps-github@w3.org from November 2017)

From: Ben Kelly <notifications@github.com>
Date: Thu, 09 Nov 2017 20:10:34 +0000 (UTC)
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/629/343276758@github.com>

> I would be happy with rejecting CORS responses when request's mode is "same-origin".

Thanks for clarifying. Sorry for my earlier confusion.

Just to clarify, do you mean *all* CORS responses or only cross-origin CORS responses?

I think @jakearchibald and I were thinking we would only reject on cross-origin CORS responses.

Assuming we are on the same page there, the question is how to get there now. The current situation is:

* Firefox does not propagate Response.url on interception in any case. We also don't reject cross-origin CORS Responses when intercepting a same-origin mode Request.
* Chrome does propagate Response.url on interception for at least some cases, like fetch API. Its hard to tell if it applies to all cases, though, and google implementors don't think it does. And chrome does not reject cross-origin CORS responsesfor same-origin mode Requests either.

Since chrome has shipped propagating the Response.url in some fairly visible cases I'd like to also move forward in firefox. I don't want to wait weeks or months to collect data on the cross-origin CORS for same-origin mode Request case.

I can see two ways to move forward:

1. Implement Response.url propagation and immediately implement rejecting cross-origin CORS responses for same-origin mode Requests. Then see if anyone complains.
2. Implement Response.url propagation. For cross-origin CORS responses for same-origin mode Requests do the following:
1. Log telemetry to collect data we need to eventually reject.
2. Log a deprecation warning to console
3. Add a quirk to do the equivalent of `new Response(crossOriginResponse.body, crossOriginResponse)`.
4. Once we have enough data remove the quirk and reject.

I personally feel like (2) would give us the best immediate interop between chrome and firefox. It would also give us a path to rejecting. If chrome is willing to follow suite quickly with rejecting, then I would be open to implementing (1).

Thoughts @annevk @jakearchibald @mattto?

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/629#issuecomment-343276758

Received on Thursday, 9 November 2017 20:10:58 UTC