[whatwg/fetch] Add unsafe-no-cors mode (PR #1533)

We identified a potential need for a more sustainable no-cors mode in discussion surrounding FedCM. The purpose is to create a browser-process priveleged mode that will not fail the Access-Control-Allow-Origin CORS checks while otherwise behaving like a normal CORS request.

Here are the deviations I have made from cors mode to make unsafe-no-cors are:

- do not perform the "CORS check" (ACAO/ACAC)
- allow the request to set a new omit origin flag that forces omission of the Origin header
- require a request to have a policy container specified (via the client is allowed)
- require the service worker mode to not be all

Because this is such an unsafe mode I added an explanation inline with the other definitions of request modes and a warning about concerns and hand-waves about the client's agent cluster.

Happy to get feedback on this draft!


- [ ] At least two implementers are interested (and none opposed):
   * Mozilla
- [ ] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at:
   * 
- [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed:
   * Chromium: …
   * Gecko: …
   * WebKit: …
   * Deno (not for CORS changes): …
- [ ] [MDN issue](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) is filed: 
   * 


You can view, comment on, or merge this pull request online at:

  https://github.com/whatwg/fetch/pull/1533


-- Commit Summary --

  * Add unsafe-no-cors mode

-- File Changes --

    M fetch.bs (59)

-- Patch Links --

https://github.com/whatwg/fetch/pull/1533.patch

https://github.com/whatwg/fetch/pull/1533.diff


-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1533

You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1533@github.com>