Re: [whatwg/fetch] CORS safelisting trace context header (#911) from Hamid on 2019-07-17 (public-webapps-github@w3.org from July 2019)

From: Hamid <notifications@github.com>
Date: Wed, 17 Jul 2019 05:33:09 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/911/512234271@github.com>

Thanks @annevk and @sideshowbarker for the feedback.

> If I understand it correctly this is a web application level protocol not intended to be implemented by browsers? (Whether it's implemented by browsers does not matter so much for this issue, but in that case I might have some other feedback.)

The trace context proposal is not intended to be implemented by browsers.

> That’s a general problem/cost with any situation at all where a preflight happens. It’s not on its own sufficient justification at all for special-casing the traceparent and tracestate request headers

This is of course the cost of any cross-origin request, but in the case of observability the `traceparent` header would be added to most (if not all) requests which makes the cost to be amplified specially since the header would be added to requests that otherwise would not need a preflight request. This is specially an issue for an observability tool that is expected not to interfere with the application's performance. Secondly, this cost can be avoid considering that trace context proposal a W3C candidate recommendation proposal.

> What is special/unique about the observability-user case that makes it specifically more challenging for observability users to add CORS-preflight support to their systems than it is for anyone else managing a server-side system intended to receive cross-origin requests from frontend code?

The challenge with the observability use-case is that it potentially touches all of the components of an application, some of which might not consume the trace-context header but might include it in their logs or might only pass it along. 


I would also like to ask, what are criteria that a header need to meet in order to be added to the CORS safelist?
In other words, what are the criteria that the current members of CORS safelist meet that justify their place on the list (e.g `Content-Type`)?



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/911#issuecomment-512234271

Received on Wednesday, 17 July 2019 12:33:31 UTC