Re: [whatwg/fetch] CORS protocol and HTTP caches (#402) from Honza Bambas on 2016-10-31 (public-webapps-github@w3.org from October 2016)

From: Honza Bambas <notifications@github.com>
Date: Mon, 31 Oct 2016 08:21:44 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/402/257323396@github.com>

I will ask for some clarifications too:
- what is "the credentials mode"? does it mean to allow sending credentials and cookies with the request?

If so, then it's what we call "anonymous" mode (or flag) on a request.

To clarify "load context info": it's a set of flags and values that separate (identifies) the context where from the request is being made and separates cache entries in the http cache this way.

Load context info is carrying the following information:
- origin attributes, which is a structure holding:
- user context id (personal/work/backing/shopping...)
- private browsing mode (aka incognito)
- few others, not related to this bug
- anonymous load (aka 'no credentials')

An entry in the http cache is identified by: [load context info][URL w/o hash] tuple.

Re https://github.com/whatwg/fetch/issues/402#issuecomment-256020019:
> If (req1, res1) is cached, is the HTTP cache allowed to serve res1 for req2?

Yes, if there is nothing more said about the cachability of the response. Only solution is the server side as mentioned in https://bugs.chromium.org/p/chromium/issues/detail?id=658575#c5.

What you suggest sounds like we may want to isolate the cache by a CORS flag (add it to the load context info).

The result would be: let's have pages: foo.com/, bar.com/, baz.com/, all referring a resources at foo.com/script.js. In the http cache there would then be exactly two entries:
- foo.com/script.js as referenced from foo.com/
- foo.com/script.js as referenced from bar.com/ and baz.com/ (and whatever origin not being foo.com)

Tho, I believe this could well break the web. Hence there is the requirement (suggestion?) to use the 'Vary: origin' response header which can be managed by the web admins. OTOH, this puts the CORS protection on their shoulders. Maybe the browser should help here somehow?

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/402#issuecomment-257323396

Received on Monday, 31 October 2016 15:22:19 UTC