Re: [whatwg/fetch] Perform a CSP check when consuming preloaded response (PR #1411) from Noam Rosenthal on 2022-03-11 (public-webapps-github@w3.org from March 2022)

From: Noam Rosenthal <notifications@github.com>
Date: Fri, 11 Mar 2022 06:07:26 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1411/c1065144852@github.com>

> * It seems that "Run report Content Security Policy violations for request" wouldn't happen.
> * Mike's scenario of scheme upgrades seems problematic. Yes, perhaps there's an HTTP cache entry, but is that guaranteed? And either way, wouldn't it result in a service worker being asked whereas if the scheme upgrade happened before that wouldn't be the case? (Scheme upgrades is also what Mixed Content Level 2 does.)
> 
> I haven't done a complete check, but this seems concerning and also suggests a potential mismatch with implementations that might cause further issues in the future.

I refactored preload handling - where a preload scenario goes through the same checks as any other fetch, but uses the preloaded response instead of seeking it in network or cache. This seems to be the safest, and allows us to incorporate different memory cache scenarios later by folding them into `consume a preloaded resource`. WDYT?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1411#issuecomment-1065144852
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1411/c1065144852@github.com>

Received on Friday, 11 March 2022 14:07:38 UTC