[fetch] Handling of data URLs (#111)

Hi,
I encountered some questions while I'm implementing Fetch API + data scheme in Chromium/Blink.

Question 1: Are XHRs to data URLs intentionally prohibited, or just XHR's spec lacks same-origin data-URL flag setting or so?

(I expect the latter because I thought previously we could use XHRs to data URLs)

Fetch API + data URLs: fetch('data://...') is resolved for all modes because same-origin data-URL flag is set in Request() constructor.
However, all XHRs to 'data://...' are rejected according to the spec [https://xhr.spec.whatwg.org/], because same-origin data-URL flag is not set (and the default is "unset") and mode is CORS or CORS-with-forced-preflight.

Question 2: What is the intention of unsetting same-origin data-URL flag on redirect? Are redirects from HTTP(S) to data URLs intentionally allowed in no-cors mode?

Example: fetch('http://example.com/A') where the response from 'http://example.com/A' returns a 'Location: data://...' header.
In such cases, on redirect, same-origin data-URL flag is unset and thus fetch is rejected, except for when mode is "no-cors".
In "no-cors" mode, the case of <request's mode is "no-cors"> is applied and opaque response is returned.

Is "same-origin data-URL flag" introduced to forbid redirects to data URLs in general?
If so, such redirects should be rejected also in "no-cors" mode.

Related Chromium bugs:
  Redirects to data URLs are intentionally forbidden in Chromium
  (so perhaps redirects to data URLs in Fetch API will be also rejected):
    https://code.google.com/p/chromium/issues/detail?id=64092
    https://code.google.com/p/chromium/issues/detail?id=272072
  Implementing Fetch API + data URLs:
    https://code.google.com/p/chromium/issues/detail?id=521475


---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/111

Received on Tuesday, 18 August 2015 07:59:36 UTC