[slightlyoff/ServiceWorker] Foreign fetch vs non-credentialed requests (#878)

As currently specified foreign fetch doesn't play together well with non-credentialed requests. In a world without foreign fetch, a website on origin A can fetch something from origin B without credentials, and there is no way (modulo fingerprinting) for B to associate that request with its cookies. If B can intercept the request with foreign fetch this is no longer the case as B itself was fetched with credentials, and can make credentialed requests and access data that was cached using credentials. There are a few options here:

- Live with this: non-credentialed requests aren't an important security/privacy boundary since B can use fingerprinting etc anyway to track things and associate requests with credentials.
- Completely disable foreign fetch interception of non-credentialed requests. This would be very unfortunate as things like fonts are always fetched without credentials, so this would disable a major use case of foreign fetch.
- Require origin A to opt in to having its non-credentialed requests be intercepted by a foreign fetch service worker. This would be rather unfortunate as well, as it would largely get rid of the transparent nature of foreign fetch, making it much less powerful.
- Somehow make it possible for origin B to say "this service worker does not need credentials". In the case of something like the fonts use case this would be done by adding an extra flag to the Link: header that installs the foreign fetch capable service worker. The effect of this flag would be for the service worker to be isolated in effectively its own origin. This origin will never be able to make non-credentialed requests. If a service worker isn't registered with this flag it won't be able to intercept non-credentialed requests.


---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/878