[whatwg/fetch] Have CORP check rely on request's response tainting rather than request's mode (#985) from Yutaka Hirano on 2019-12-18 (public-webapps-github@w3.org from December 2019)

From: Yutaka Hirano <notifications@github.com>
Date: Tue, 17 Dec 2019 19:48:31 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/985@github.com>

Brought up at https://chromium-review.googlesource.com/c/chromium/src/+/1971810, related with https://github.com/w3c/ServiceWorker/issues/1490.

We would like to run [the CORP check](https://fetch.spec.whatwg.org/#cross-origin-resource-policy-check) in CacheStorage for COEP (https://github.com/w3c/ServiceWorker/issues/1490), but currently the CORP check relies on the request mode which is not directly accessible there. [request's response tainting](https://fetch.spec.whatwg.org/#concept-request-response-tainting) is stored as [response type](https://fetch.spec.whatwg.org/#concept-response-type) and we can use it. What do you think about changing the first item as follows?

If _request_'s response tainting is not "opaque", then return __allowed__.

In the CacheStorage spec, we will restore a _request_ for the CORP check as follows:

 - Let _request_ be a new request.
 - Set _request_'s URL to the given URL.
 - Set _request_'s origin to the current realm's origin
 - Set _request_'s response tainting to 
   - "basic" if _response_'s type is "basic", "default" or "opaqueredirect"
   - "opaque" if _response_'s type is "opaque"
   - "cors" if _response_'s type is "cors"

@ArthurSonzogni @wanderview @annevk 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/985

Received on Wednesday, 18 December 2019 03:48:33 UTC