Re: [w3c/ServiceWorker] Service workers allow for more responses to be executed as script (#1509) from Jake Archibald on 2020-04-15 (public-webapps-github@w3.org from April 2020)

From: Jake Archibald <notifications@github.com>
Date: Wed, 15 Apr 2020 10:17:20 -0700
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/1509/614168122@github.com>

> So, how does the change in behavior look from the CORB perspective? Is it something like this?:
> 
> * Before the proposed changes: Cross-origin, no-cors non-GET responses are already blocked by CORB **if the response MIME type is CORB-eligible** (html/xml/json/pdf/zip/etc)
> * After the proposed changes: Cross-origin, no-cors non-GET responses are **always** blocked by CORB regardless of the response MIME type  (therefore the "after" behavior extends CORB protection to POST responses carrying things like image/png or application/javascript)

Exactly.

> Oh, one more question - will this proposal be testable via WPT?

Yeah, you can make no-cors POST requests using `fetch()`. The test would be:

1. `<script src="whatever.js">`.
1. Intercept that with a service worker.
1. Respond with the response from a cross origin no-cors POST request, where the response is `window.bad = true`;
1. Once the script loads, `window.bad` must be undefined.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1509#issuecomment-614168122

Received on Wednesday, 15 April 2020 17:17:33 UTC