Re: [fetch] Navigate likely needs to be "no-cors" after all, need to update security checks (#126) from Ben Kelly on 2015-09-17 (public-webapps-github@w3.org from September 2015)

From: Ben Kelly <notifications@github.com>
Date: Thu, 17 Sep 2015 08:30:56 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/126/141123109@github.com>

It seems clunky to have special cases for navigations that aren't reflected in the exposed FetchEvent.request attributes.

If navigations follow no-cors cross-origin redirects, is there a reason we can't just accept opaque responses for navigations?  It seems if we update the final URL of the page with the intercepted Response.url, then it would be the same as a redirect.

Maybe something like:

* Add an InterceptedUrlMode enum with values "hidden" and "exposed"
* Request objects default to "hidden" url mode
* Navigations set url mode to "exposed"
* If url mode is "exposed", then skip step 15 of main fetch (overriding the returned response.url)

@jakearchibald, is there a functional reason not to do this for navigations?

---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/126#issuecomment-141123109

Received on Thursday, 17 September 2015 15:31:33 UTC