Re: [fetch] Mechanism to indicate "destination context" (#64) from Ilya Grigorik on 2015-06-26 (public-webapps-github@w3.org from June 2015)

From: Ilya Grigorik <notifications@github.com>
Date: Fri, 26 Jun 2015 07:05:46 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/64/115700995@github.com>

Got a chance to chat with @mikewest... Mike, please correct me if I'm misrepresenting anything.

* We don't want to override initiator's context; we want to enforce connect-src on fetch()
* The "destination context" concept is not particularly useful (for CSP or fetch)
  * CORS controls whether you can inspect the response body; also applicable in SW case.
  * CSP controls whether you can pass a blob: / data: to elements

For preload/prefetch/prerender in particular:
 * None provide direct access to response object/body
 * The consumer will enforce its own policies when consuming previously pre*** resource, which may happen in same navigation context or another.
 * We may want to investigate adding a new CSP directive to control preload/prefetch/prerender; this is a separate and non-blocking discussion.
 * Using existing "[context definitions](https://fetch.spec.whatwg.org/#dfnReturnLink-0)" to indicate fetch preferences is not a great fit - e.g. if you want to indicate that you're fetching an HTML file, what value would you use? It may be better and easier to simply indicate the content-type instead. 
   * This is not ideal either: sometimes you have to be overly specific (e.g. image/png vs image), and you may lose some prioritization information (image vs imageset). There are tradeoffs in both directions, but mime-type should offer a more flexible and future proof solution (bonus: "type attribute" is already a thing on `<link>`).

With above in mind... Rough sketch of what it could look like with `type`:

```html
<link rel="prefetch" href="/next/page.html" type="text/html">

<script>
  fetch("/next/page.html", {type: "tex/html"}).then(...)
</script>
```

In "[Fetching](https://fetch.spec.whatwg.org/#fetching)": 
* If request's header list does not contain a header whose name is `Accept`, run these substeps:
  * If request's context is not fetch, let value be the first matching statement, switching on request's context... (same list as curently).
  * Else, if the request contains type attribute, let value be the first (regular? :)) expression matching request's type:
    * `image` -> `image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5`
    * `xhtml | html | xml `-> `text/html,application/xhtml+xml,application/xml;q=0.9,*`
    * `css` -> `text/css,*/*;q=0.1`
    * `.*` -> `*/*`
 * ... same as rest + clause to set priority based on type.

Thoughts?

---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/64#issuecomment-115700995

Received on Friday, 26 June 2015 14:06:17 UTC