Re: [whatwg/fetch] More CORB-protected MIME types - safelist-based approach (#721) from Anne van Kesteren on 2019-03-06 (public-webapps-github@w3.org from March 2019)

From: Anne van Kesteren <notifications@github.com>
Date: Wed, 06 Mar 2019 06:43:32 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/721/470126129@github.com>

Range requests are only a problem for audio/video at the moment I think, but there is some model where we could tie things to the element doing the requests that would minimize unbounded memory growth. I suspect tying it to the lifetime of the fetch group is more reasonable though. I sketched out the algorithm and necessary state below:

---

A user agent has a **no-CORS-safelisted requesters set**.

A request has an associated **no-CORS media identifier** (null or an opaque identifier). Null unless explicitly stated otherwise.

\[The idea here is that the no-CORS media identifier is owned by the media element (audio/video only; I'm assuming we won't do range for images without at least requiring MIME types at this point). As part of the element being GC'd, it would send a message to get all the relevant entries from the user agent's no-CORS-safelisted requesters set removed. There might be better strategies available here and it's not clear to me to what extent we need to specify this, but it's probably good to have a model that does not leak memory forever so the set needs to be keyed to something. The fetch group might also be reasonable.]

A **no-CORS-safelisted media MIME type** is ... (audio, video).

A **no-CORS-safelisted non-media MIME type** is ... (image, text/css, JavaScript MIME types).

To determine whether to allow response _response_ to a request _request_, run these steps:

1. Let _mimeType_ be the result of parsing Content-Type of _response_.
1. If _mimeType_ is a no-CORS-safelisted media MIME type, then:
   1. Append (_request_'s no-CORS media identifier, _request_'s current URL) to the user agent's no-CORS-safelisted requesters set.
   1. Return true.
1. If _mimeType_ is a no-CORS-safelisted non-media MIME type, then return true.
1. If the user agent's no-CORS-safelisted requesters set contains (_request_'s no-CORS media identifier, _request_'s current URL), then return true.
1. Wait for 1024 bytes of _response_ or end-of-file, whichever comes first and let _bytes_ be those bytes.
1. If the [image type pattern matching algorithm](https://mimesniff.spec.whatwg.org/#image-type-pattern-matching-algorithm) given _bytes_ does not return undefined, then return true.
1. If the [audio or video type pattern matching algorithm](https://mimesniff.spec.whatwg.org/#audio-or-video-type-pattern-matching-algorithm) given _bytes_ does not return undefined, then:
   1. Append (_request_'s no-CORS media identifier, _request_'s current URL) to the user agent's no-CORS-safelisted requesters set.
   1. Return true.
1. If the JavaScript pattern matching algorithm does not return undefined, then return true.
1. Return false.

Note: user agents are encouraged to optimize the above algorithm, by taking into account the context where the request originated from.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/721#issuecomment-470126129

Received on Wednesday, 6 March 2019 14:43:54 UTC