Re: [whatwg/fetch] Allow connection reuse for request without credentials when TLS client auth is not in use (#341) from sleevi on 2017-02-27 (public-webapps-github@w3.org from February 2017)

From: sleevi <notifications@github.com>
Date: Mon, 27 Feb 2017 13:55:50 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/341/282868417@github.com>

@annevk OK, so you're talking about H/2 coalescing, not same-origin resources, just to confirm?

The story of 3P cookie blocking is... complicated... and I suspect @mikewest can speak more to it. My most recent examination of the code was that when a request is identified as a 3P one for which cookies should block, then it (effectively) ends up as an uncredentialed request. As a consequence, it goes to our 'uncredentialed' pool for dispatch over the network. However, this is complicated by some of our renderer and memory cache behaviours, so I'm going to narrowly focus on the "Resource wasn't cached" scenario (in memory or on disk) for these examples:

* `example.com` loading `cdn.example.com` resources
* If the request is no-credentials (fonts), then it will be dispatched to a dedicated socket pool for non-credentialed requests, always.
* If the socket pool has an already-established connection to `cdn.example.com`, it'll use that connection. This includes H/2 connections asserting multiple origin identities.
* Otherwise, it goes off to a new connection.
* If the request is credentials, then it will be dispatched to the credentialed socket pool.
* Because the (current) connection is credentialed, since it loaded `example.com`, then if the H/2 connection also asserts origin identity for `cdn.example.com`, the request will be dispatched over the current connection.
* Otherwise (for example, the connection was terminated after the `example.com` resource loaded), a new connection to `cdn.example.com` will be established.

* `example.com` loading `tracker.example`, which has cookies associated but triggers the 3P-cookie-blocking:
* If it meets our criteria as a 3P load / our 3P-cookie blocker says they're not equivalent, then the underlying request is dispatched to a `non-credentialed` socket pool.
- While this means that such 3P loads will also never have ambient authority associated with them (because they go through the dedicated 'non-credentialed' pool), this is the intent/desire from a privacy perspective.
* If it didn't trigger 3P cookie blocking, then it would be dispatched to the 'credentialed' pool, similar to the `cdn.example` case above.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/341#issuecomment-282868417

Received on Monday, 27 February 2017 21:56:48 UTC