Re: [w3c/ServiceWorker] `CacheStorage` & `COEP:credentialless` (#1592) from Jake Archibald on 2021-05-14 (public-webapps-github@w3.org from May 2021)

From: Jake Archibald <notifications@github.com>
Date: Fri, 14 May 2021 02:22:57 -0700
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/1592/841125853@github.com>

@mfalken and I caught up with this thread. Thanks for the detailed explanations. I wasn't really aware of `COEP:credentialless ` before reading this thread, so there's a chance I'm misunderstanding the whole thing.

I think our goal should be:

| Case \ params | request, no-cors, cross-origin | response          | original client   | second client       | result |
|---------------|--------------------------------|-------------------|-------------------|---------------------|--------|
| 1             | credentials=include            |                   | COEP:none         | COEP:credentialless | error  |
| 2             | credentials=include            | CORP:cross-origin | COEP:require-corp | COEP:credentialless | allow  |
| 3             | credentials=include            | CORP:cross-origin | COEP:none         | COEP:credentialless | allow  |
| 4             | credentials=omit               |                   | COEP:none         | COEP:credentialless | allow  |
| 5             | credentials=include            | CORP:cross-origin | COEP:none         | COEP:require-corp   | allow  |

It feels like this could be achieved by the `requestIncludedCredentials` idea mentioned previously, then changing https://fetch.spec.whatwg.org/#cross-origin-resource-policy-internal-check to check for that. That algorithm is run against responses coming from network, service workers, and `cache.match`.

So, after step 4 of https://fetch.spec.whatwg.org/#cross-origin-resource-policy-internal-check:

5. If policy is null and embedderPolicyValue is "credentialless" and response's **request included credentials** is false, then return allowed.

Does that work? I guess **request included credentials** would be set around the same time as the [range requested flag](https://fetch.spec.whatwg.org/#ref-for-concept-response-range-requested-flag%E2%91%A0).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1592#issuecomment-841125853

Received on Friday, 14 May 2021 09:23:10 UTC