Re: [whatwg/fetch] Perform a CSP check when consuming preloaded response (PR #1411) from Anne van Kesteren on 2022-03-16 (public-webapps-github@w3.org from March 2022)

From: Anne van Kesteren <notifications@github.com>
Date: Wed, 16 Mar 2022 03:01:33 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1411/review/911352114@github.com>

@annevk commented on this pull request.

This looks really solid. This would result in reporting twice, right? Is that a case we might want to adjust to not do that or is it fine?

>     <li><p>Let <var>onPreloadedResponseAvailable</var> be an algorithm that runs the following
-   step <a>in parallel</a> given a <a for=/>response</a> <var>response</var>: run
-   <a>fetch finale</a> given <var>response</var> and <var>fetchParams</var>.
+   step given a <a for=/>response</a> <var>response</var>: Set <var>fetchParams</var>'s

```suggestion
   step given a <a for=/>response</a> <var>response</var>: set <var>fetchParams</var>'s
```

> @@ -4001,6 +4008,17 @@ steps:
   corresponding to the first matching statement:
 
   <dl class=switch>
+   <dt><var>fetchParams</var>'s <a for="fetch params">preloaded response candidate</a> is not null
+
+   <dd>
+    <ol>
+     <li><p>Wait until <var>fetchParams</var>'s
+     <a for="fetch params">preloaded response candidate</a> is not "<code>pending</code>".
+

Add an assert here that it's now a response?

> @@ -3855,9 +3858,12 @@ the request.
    with <var>request</var>'s <a for=request>client</a>'s
    <a for="environment settings object">origin</a>.
 
+   <li><p>Set <var>fetchParams</var>'s <a for="fetch params">preloaded response candidate</a> to
+   "<code>pending</code>".

How about instead of having this step, we only set state to "pending" in the last step if _foundPreloadedResource_ is true? Although I guess we'd have to make sure it's not a response already in case it was all available synchronously.

So you'd get

> If _foundPreloadedResource_ is true and _fetchParams_'s preloaded response candidate is null, set _fetchParams_'s preloaded response candidate to "pending".

That seems a little clearer to me.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1411#pullrequestreview-911352114
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1411/review/911352114@github.com>

Received on Wednesday, 16 March 2022 10:01:45 UTC