- From: hiroshige-g <notifications@github.com>
- Date: Tue, 18 Aug 2015 00:59:06 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/111@github.com>
Hi, I encountered some questions while I'm implementing Fetch API + data scheme in Chromium/Blink. Question 1: Are XHRs to data URLs intentionally prohibited, or just XHR's spec lacks same-origin data-URL flag setting or so? (I expect the latter because I thought previously we could use XHRs to data URLs) Fetch API + data URLs: fetch('data://...') is resolved for all modes because same-origin data-URL flag is set in Request() constructor. However, all XHRs to 'data://...' are rejected according to the spec [https://xhr.spec.whatwg.org/], because same-origin data-URL flag is not set (and the default is "unset") and mode is CORS or CORS-with-forced-preflight. Question 2: What is the intention of unsetting same-origin data-URL flag on redirect? Are redirects from HTTP(S) to data URLs intentionally allowed in no-cors mode? Example: fetch('http://example.com/A') where the response from 'http://example.com/A' returns a 'Location: data://...' header. In such cases, on redirect, same-origin data-URL flag is unset and thus fetch is rejected, except for when mode is "no-cors". In "no-cors" mode, the case of <request's mode is "no-cors"> is applied and opaque response is returned. Is "same-origin data-URL flag" introduced to forbid redirects to data URLs in general? If so, such redirects should be rejected also in "no-cors" mode. Related Chromium bugs: Redirects to data URLs are intentionally forbidden in Chromium (so perhaps redirects to data URLs in Fetch API will be also rejected): https://code.google.com/p/chromium/issues/detail?id=64092 https://code.google.com/p/chromium/issues/detail?id=272072 Implementing Fetch API + data URLs: https://code.google.com/p/chromium/issues/detail?id=521475 --- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/111
Received on Tuesday, 18 August 2015 07:59:36 UTC