Re: [whatwg/fetch] Add unsafe-no-cors mode (PR #1533) from Jeffrey Yasskin on 2022-11-17 (public-webapps-github@w3.org from November 2022)

From: Jeffrey Yasskin <notifications@github.com>
Date: Thu, 17 Nov 2022 11:37:42 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1533/review/1184904333@github.com>

@jyasskin commented on this pull request.



> @@ -1796,13 +1798,27 @@ to not have to set <a for=/>request</a>'s <a for=request>referrer</a>.
   <dt>"<code>navigate</code>"
   <dd>This is a special mode used only when <a>navigating</a> between documents.
 
+  <dt>"<code>unsafe-no-cors</code>"

Consider naming this something like "host-no-cors" or "ua-no-cors" or something else that indicates what purpose it serves. Just "unsafe" is likely to scare off people who should use it, and not dissuade overconfident people who think they know what they're doing. Since this is only for use in web standards, that'll get caught eventually in spec review, but that could be much later than we want, and a better name could move the right design earlier.

> + <p class=warning> Using <a for=/>request</a> <a for=request>mode</a> "<code>unsafe-no-cors</code>"
+ is even more discouraged and unsafe than "<code>no-cors</code>". Any use of this mode must be in an
+ <a>agent cluster</a> associated with the <a>host environment</a> itself to isolate its results from
+ misuse. This <a for=request>mode</a> is deliberately not exposed in the {{RequestMode}}.

I think this'll be more discoverable if it's inside the definition of the new mode, rather than down here at the bottom. If you want this mode to be at the bottom, put it at the bottom of the `<dl>`.

> @@ -1796,13 +1798,27 @@ to not have to set <a for=/>request</a>'s <a for=request>referrer</a>.
   <dt>"<code>navigate</code>"
   <dd>This is a special mode used only when <a>navigating</a> between documents.
 
+  <dt>"<code>unsafe-no-cors</code>"
+  <dd>This is a special mode for the <a>host environment</a> to use internally to wittingly make

Is "host environment" the right term? It's odd to borrow a Javascript term for something in Fetch that's not integrated in any other way with Javascript infrastructure. I might just use [[=user agent=]](https://infra.spec.whatwg.org/#user-agent).

> +  return a <a>cors filtered response</a>. However, a request with this mode cannot
+  use <a>service-workers mode</a> "<code>all</code>".

This is out of order, with a restriction on the request coming after the description of the response. We should have all the request restrictions together.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1533#pullrequestreview-1184904333
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1533/review/1184904333@github.com>

Received on Thursday, 17 November 2022 19:37:55 UTC