Re: [fetch] Initializing context/content specific fetch defaults (#43) from Ilya Grigorik on 2015-04-09 (public-webapps-github@w3.org from April 2015)

From: Ilya Grigorik <notifications@github.com>
Date: Wed, 08 Apr 2015 18:52:19 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/43/91088766@github.com>

> The problematic case with allowing fetch() to set the CSP policy to something other than connect-src is that you could then use fetch() to bypass CSP. The only way to prevent that would be to taint the response somehow. So that if you do fetch(url, {context: "image"}) the Response object can only be used by <img> and background-image and such.

That makes sense. In the case of `rel=preload` you'd get same enforcement when you try to use the preloaded response within `<img>`, etc.. just as we noted here: https://github.com/w3c/preload/pull/17#issuecomment-89356310. 

> About initializing defaults. We could do this in fetch, but are engines actually setting these defaults based on an enum in the network layer or are they set in the DOM layer based on the environment? I can see how we could take over handling Accept in fetch, but client hints seems trickier?

Our goal here is to provide context to the engine where its currently missing, such that the engine can make more informed decisions. For example, when the engine sees an `<img>` resource, it will initialize some common defaults (e.g. Accept headers), and it may also use some environment/runtime variables to adjust priority and other settings: lower priority for below the fold images, advertise some hints if those values are known (e.g. resource width), and so on. 

By contrast, if you try to `fetch()` an image resource today, the engine is completely blind and can't do any of the above. So, exposing "as", which can communicate that this is an "image" resource is already a big step forward. The engine may not have as rich of a context to determine all the other plausible optimizations, but our goal here is _not_ to provide feature parity... When you're using `fetch()` you're opting into "manual control", which is why custom headers and other properties are important -- e.g. I want to override the UA defaults and use fetch to advertise own hints and other fetch settings.

In short, I think "as" is sufficient as a bootstrapping mechanism to help the UA set _some_ defaults, it doesn't need to provide the exact same behavior.

---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/43#issuecomment-91088766

Received on Thursday, 9 April 2015 01:52:48 UTC