Re: [fetch] Mechanism to indicate "destination context" (#64) from Brian Smith on 2015-07-09 (public-webapps-github@w3.org from July 2015)

From: Brian Smith <notifications@github.com>
Date: Wed, 08 Jul 2015 18:33:32 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/64/119778508@github.com>

I'm not sure it makes sense to overload the ```type``` attribute for this.

1. Consider the possibility that browsers could very well have a different behavior for sending the ```Referer``` header for ```<iframe src='foo.html'>``` and ```<a href='foo.html'>```. ```type=text/html``` in both cases. (IIRC, you can already configure Firefox in a way where that matters.) Overloading ```type``` as the solution for this issue would likely mean that we'd have to be extremely conservative with the ```Referer``` header in pre* requests--i.e. by having pre* requests always send the minimum value for the ```Referer```. Would people be OK with that?

2. In the case of navigation prefetch, why should I have to predict the mime type of the destination of the link? In particular, consider a search enging SERP page. If I want to prefetch/prerender the first link, why should I need to care whether it links to application/pdf or text/html?

I think the problems with the "destination context" idea was overstated. If you want to differentiate pre* vs. non-pre* fetches then you can do that by adding an internal state flag that ```fetch()``` looks at. Similarly, you could have an internal state that indicates whether a fetch was initiated from ```fetch()```, or from an ```<img>``` tag, or from a ```fetch()``` in a service worker processing an ```<img>``` fetch. Although that would be more complicated than what you're proposing here, it wouldn't discard useful information.

Also, I don't see how you can resolve this issue without also having at least a general agreement for how CSP controls it. Every new way to initiate a network request should define or reference how CSP controls it. In particular, if CSP would block ```<iframe src=foo.html type=text/html>``` then should CSP also block ````<link rel=prefetch href=foo.html>```? The answer isn't obvious when we consider that the prefetch could be for a ```<a href=foo.html>``` that CSP wouldn't block, and when we consider that CSP is used for at least two quite different things (for XSS prevention in normal web pages, and as part of a poor person's confinement mechanism in Chrome's extensions and Firefox's package apps). FWIW, I don't think the "destination context" idea helps with solving any CSP interaction stuff either.

---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/64#issuecomment-119778508

Received on Thursday, 9 July 2015 01:34:03 UTC