Re: [whatwg/fetch] Allow more flexibility in how 401s/407s are handled? (#1132)

> It seems like a new capability for content to be able to access 407 responses though. How are you handling that? Or you treating them as opaque in some manner?

Right now our Chrome implementation is just buggy; we return the 401/407 response to the Service Worker and we don't show the auth prompt at all. That's clearly not the right behavior. I agree that it doesn't seem quite correct to let content access the 401/407, but in practice I'm not sure it's an entirely new capability. In our old overlay model (or in e.g. Safari's current model), if the user hits Cancel on the auth prompt, then the request proceeds in order to display the response body from the server. I suspect that in this case the SW will see the 401/407 response just like it would see a 404. (I have to verify this, though.)

Even if it is the case that SWs can sometimes access 401/407 responses today, I suspect that's probably an accident of implementation and not an intentional decision. Making a 401/407 response opaque seems reasonable, I didn't think of that -- though I'd still be a bit worried about SWs caching and reusing it unintentionally. Do you think treating it as a network error would also be an option?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1132#issuecomment-755082015

Received on Wednesday, 6 January 2021 05:10:25 UTC