Re: [whatwg/fetch] Streaming upload and HTTP protocol info leak (#1007) from Yoichi Osato on 2020-04-22 (public-webapps-github@w3.org from April 2020)

From: Yoichi Osato <notifications@github.com>
Date: Tue, 21 Apr 2020 23:06:10 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1007/617570553@github.com>

Let me re-summarize the chart:
## Same-origin case:
1. If the response to the main resource used HTTP/0.9 or HTTP/1.0:
Fail the request. 
1. if the response used HTTP/1.1:
   1. If `allowHTTP1ForStreamingUpload` is `true` (default):
Continue processing
   1. If `alowHTTP1ForStreamingUpload` is `false`:
Fail the request
1. If there is an existing HTTP/2 or /3 session, or the browser succeeded to create an HTTP/2 or /3 session:
Continue processing
 
## Cross-origin case:
4. If the response to the CORS preflight resource used HTTP/0.9 or HTTP/1.0:
Fail the request.
4. if the response used HTTP/1.1:
   1. If `allowHTTP1ForStreamingUpload` is `true` (default): 
Continue processing
   1. If `allowHTTP1ForStreamingUpload` is `false`: 
Fail the request
1. If there is an existing HTTP/2 or /3 session, or the browser succeeded to create an HTTP/2 or /3 session:
Continue processing

Following this chart,  fetch() upload streaming behaves different only when a web author knows the protocol with a previous response then this doesn't leak the protocol.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1007#issuecomment-617570553

Received on Wednesday, 22 April 2020 06:06:23 UTC