Re: [whatwg/fetch] Perform TAO check when reporting, using global's origin (PR #1422) from Anne van Kesteren on 2022-04-21 (public-webapps-github@w3.org from April 2022)

From: Anne van Kesteren <notifications@github.com>
Date: Thu, 21 Apr 2022 05:30:24 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1422/review/948529856@github.com>

@annevk commented on this pull request.

I don't really understand the setup I'm afraid. Could you explain it?

* Does this require to keep all the intermediate responses in memory until "finalize and report timing" runs?
* Why does "finalize and report timing" now end up doing multiple TAO checks for everything, rather than just nested documents?
* Is the global in "finalize and report timing" the correct one?

> @@ -6030,14 +6046,25 @@ agent's <a>CORS-preflight cache</a> for which there is a <a>cache entry match</a
  <li><p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>basic</code>", then
  return success.
 
+ <li><p>Let <var>serializedOrigin</var> be the result of <a>serializing a request origin</a> given
+ <var>request</var>.
+
+ <li><p>Return the result of performing a <a>TAO origin check</a> given <var>origin</var> and
+ <var>response</var>.
+</ol>
+
+<p>To perform a <dfn>TAO origin check</dfn> for an <a for=/>ASCII string</a>
+<var>serializedOrigin</var> and a <span>response</span> <var>response</var>, run these steps:

Still uses `span`.

> @@ -4399,15 +4402,23 @@ steps:
 
  <li><p>If <var>timingInfo</var> is null, then return.
 
- <li>
-  <p>If <var>response</var>'s <a for=response>timing allow passed flag</a> is not set, then:
+ <li><p>Let <var>taoStatus</var> be <code>success</code>.

Can we make this "Let taoSucceeded be true" instead? That seems preferable to introducing new types.

> @@ -266,6 +266,9 @@ following <a for=struct>items</a>: [[RESOURCE-TIMING]] [[NAVIGATION-TIMING]]
 
  <dt><dfn export for="fetch timing info">final connection timing info</dfn> (default null)
  <dd>Null or a <a for=/>connection timing info</a>.
+
+ <dt><dfn for="fetch timing info">TAO checks</dfn> (default an empty list)

```suggestion
 <dt><dfn for="fetch timing info">TAO checks</dfn> (default « »)
```

> @@ -266,6 +266,9 @@ following <a for=struct>items</a>: [[RESOURCE-TIMING]] [[NAVIGATION-TIMING]]
 
  <dt><dfn export for="fetch timing info">final connection timing info</dfn> (default null)
  <dd>Null or a <a for=/>connection timing info</a>.
+
+ <dt><dfn for="fetch timing info">TAO checks</dfn> (default an empty list)
+ <dd>A list of algorithms accepting an <a for=/>ASCII string</a>

"A list of algorithms each of which takes an ASCII string and returns ???"

> @@ -4678,6 +4689,11 @@ these steps:
 
    <li><p>If the <a>TAO check</a> for <var>request</var> and <var>response</var> returns failure,
    then set <var>request</var>'s <a for=request>timing allow failed flag</a>.
+
+   <li><p>Otherwise, <a for=list>append</a> the following steps given <a for=/>ASCII string</a>

given an*

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1422#pullrequestreview-948529856

You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1422/review/948529856@github.com>

Received on Thursday, 21 April 2022 12:30:36 UTC