[whatwg/fetch] CORB: nosniff handling (#686) from Lukasz Anforowicz on 2018-03-27 (public-webapps-github@w3.org from March 2018)

From: Lukasz Anforowicz <notifications@github.com>
Date: Tue, 27 Mar 2018 13:38:16 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/686@github.com>

# Motivation for the changes

Allowing blocking of HTML/JSON/XML [nosniff](https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-nosniff?) responses going to image (or audio/video/font/track) destinations covers most of scenarios where [CORB](https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md) is actually [observable in the wild today](https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md#Quantifying-CORB-impact-on-existing-websites).

# Explaining why blocking via net error is okay

Note that 1) CORB explainer asks to block a protected response by injecting an empty body (see the "[How does CORB “block” a response?](https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md#How-does-CORB-block-a-response)" section in the explainer) and 2) the Fetch spec asks to block a nosniff responses by injecting a network error (see the "[Main fetch](https://fetch.spec.whatwg.org/#main-fetch)" section, item 10). 

This difference might matter for some destinations (e.g. XHR and `fetch()`), but shouldn't matter for destinations covered here.  For example - [HTMLImageElement](https://developer.mozilla.org/en-US/docs/Web/API/HTMLImageElement)' `onerror` event will fire _both_ in case of a network error _and_ in case of a decode error (e.g. one triggered by the empty body injected by CORB).

One potential difference is the timing of when the network error VS decode error is observed.  In practice, this timing difference shouldn't matter though - CORB can be seen as a very slow network proxy that postpones the network error until the image decoding actually happens.
You can view, comment on, or merge this pull request online at:

  https://github.com/whatwg/fetch/pull/686

-- Commit Summary --

  * CORB: nosniff handling

-- File Changes --

    M fetch.bs (16)

-- Patch Links --

https://github.com/whatwg/fetch/pull/686.patch
https://github.com/whatwg/fetch/pull/686.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/686

Received on Tuesday, 27 March 2018 20:38:41 UTC