Re: [whatwg/fetch] Add unsafe-no-cors mode (PR #1533) from Jeffrey Yasskin on 2022-11-28 (public-webapps-github@w3.org from November 2022)

From: Jeffrey Yasskin <notifications@github.com>
Date: Mon, 28 Nov 2022 12:15:23 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1533/review/1196474718@github.com>

@jyasskin commented on this pull request.



> @@ -1796,13 +1798,27 @@ to not have to set <a for=/>request</a>'s <a for=request>referrer</a>.
   <dt>"<code>navigate</code>"
   <dd>This is a special mode used only when <a>navigating</a> between documents.
 
+  <dt>"<code>unsafe-no-cors</code>"

IIUC, the point of this mode is that it must only be used from the browser process or an equivalently-trusted process, so the response was *already* exposed there. If it's invoked by that sort of caller, are there any situations where it would still be unsafe?

I have a general rule to avoid "unsafe" and "safe" in naming, since they usually refer to just one kind of safety that was salient to the original author (here, exposure of resource bytes, I think), and future users tend to assume a different kind of safety and so get into trouble.

 We could be more specific about what's unsafe instead of trying to name according to the intended caller. E.g. "no-cors-override-exposure-policies". But I suspect that naming according to the intended caller will make it easier to figure out how to maintain this mode's behavior in the future.

> @@ -1796,13 +1798,27 @@ to not have to set <a for=/>request</a>'s <a for=request>referrer</a>.
   <dt>"<code>navigate</code>"
   <dd>This is a special mode used only when <a>navigating</a> between documents.
 
+  <dt>"<code>unsafe-no-cors</code>"
+  <dd>This is a special mode for the <a>host environment</a> to use internally to wittingly make

I would probably change both to "user agent" or say something about the required memory isolation in the warning, but I don't feel strongly about it. I think we really want something about how trusted the other code in that agent cluster's process is, but I don't think we have the right terms defined for that, and I don't think this change needs to block on thinking through and defining those.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1533#discussion_r1033999361
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1533/review/1196474718@github.com>

Received on Monday, 28 November 2022 20:15:51 UTC