- From: Anne van Kesteren <notifications@github.com>
- Date: Mon, 24 Apr 2023 01:02:56 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1620/review/1397379691@github.com>
@annevk commented on this pull request.
It's unfortunate these have to be separate algorithms. I was hoping we could do CSP checks as part of the normal "obtain a connection" routine.
> @@ -3022,6 +3022,78 @@ details of reused connections are not exposed and time values are coarsened.
</div>
+<h3 id=preemptive-connection-operations>Preemptive connection operations</h3>
+
+<div algorithm="preemmptively-obtain-a-connection">
+<p>To <dfn export>preemptively obtain a connection</dfn>, given an
+<a>environment settings object</a> <var>environment</var>, a <a for=/>URL</a> <var>url</var>, and a
+boolean <var>credentials</var>, run these steps:
+
+<ol>
+ <li><p>Let <var>key</var> be the result of <a for=/>determining the network partition key</a> given
+ <var>environment</var>.
+
+ <li>
+ <p><a>Check CSP for preemptive operation</a> with <var>environment</var> and <var>url</var>. If
+ that returns <b>allowed</b>, <a>Obtain a connection</a> with <var>key</var>, <var>url</var> and
```suggestion
that returns <b>allowed</b>, <a>obtain a connection</a> with <var>key</var>, <var>url</var> and
```
> +<a>environment settings object</a> <var>environment</var>, a <a for=/>URL</a> <var>url</var>, and a
+boolean <var>credentials</var>, run these steps:
+
+<ol>
+ <li><p>Let <var>key</var> be the result of <a for=/>determining the network partition key</a> given
+ <var>environment</var>.
+
+ <li>
+ <p><a>Check CSP for preemptive operation</a> with <var>environment</var> and <var>url</var>. If
+ that returns <b>allowed</b>, <a>Obtain a connection</a> with <var>key</var>, <var>url</var> and
+ <var>credentials</var>.
+
+ <p class=note>This connection is obtained but not used directly. It will remain in the
+ <a>connection pool</a> for subsequent use.
+
+ <p class=note>The user agent should attempt to initiate a preconnect and perform the full
Cannot have should in a note. Why does this even pass CI?
> @@ -8688,7 +8760,7 @@ to discuss. [[CSP]]
<a>environment settings object</a> you're operating in. Web-exposed APIs are generally defined with
Web IDL, for which every object that implements an <a>interface</a> has a
<a>relevant settings object</a> you can use. For example, a <a for=/>request</a> associated with an
-<a for=/>element</a> would set the <a for=/>request</a>'s <a for=request>client</a> to the element's
+{{Element}} would set the <a for=/>request</a>'s <a for=request>client</a> to the element's
This is wrong.
> + that returns <b>blocked</b>, return.
+
+ <li><p>Let <var>proxies</var> be the result of finding proxies for <var>url</var> in an
+ <a>implementation-defined</a> manner.
+
+ <li>
+ <p>If <var>proxies</var> is <a for=list>empty</a>, or if <var>proxies</var>
+ <a for=list>contains</a> "<code>DIRECT</code>", then <a>resolve an origin</a> given <var>key</var>
+ and <var>url</var>'s <a for=url>origin</a>.
+
+ <p class=note>As the results of this algorithm can be cached, future fetches could be faster.
+</ol>
+</div>
+
+<div algorithm="check-preemptive-operation-csp">
+<p>To <dfn>Check CSP for preemptive operation</dfn>, given an
```suggestion
<p>To <dfn>check CSP for preemptive operation</dfn>, given an
```
> +</ol>
+</div>
+
+<div algorithm="check-preemptive-operation-csp">
+<p>To <dfn>Check CSP for preemptive operation</dfn>, given an
+<a>environment settings object</a> <var>environment</var>, and a <a for=/>URL</a> <var>url</var>,
+run these steps:
+
+<ol>
+ <li><p>Let <var>request</var> be a <a for=/>request</a> whose <a for=request>URL</a> is
+ <var>url</var>, <a for=request>initiator</a> is "<code>prefetch</code>", and whose
+ <a for=request>client</a> is <var>environment</var>.
+
+ <li><p>Return the result of running <a>should request be blocked by Content Security Policy?</a>
+ given <var>request</var>.
+
Nit: redundant newline.
> @@ -3022,6 +3022,78 @@ details of reused connections are not exposed and time values are coarsened.
</div>
+<h3 id=preemptive-connection-operations>Preemptive connection operations</h3>
No need for "operations" (pluralize connection instead).
> +</div>
+
+<div algorithm="preemmptively-resolve-an-origin">
+<p>To <dfn export>preemptively resolve an origin</dfn>, given an
+<a>environment settings object</a> <var>environment</var> and a <a for=/>URL</a> <var>url</var>, run
+these steps:
+
+<ol>
+ <li><p>Let <var>key</var> be the result of <a for=/>determining the network partition key</a> given
+ <var>environment</var>.
+
+ <li><p><a>Check CSP for preemptive operation</a> with <var>environment</var> and <var>url</var>. If
+ that returns <b>blocked</b>, return.
+
+ <li><p>Let <var>proxies</var> be the result of finding proxies for <var>url</var> in an
+ <a>implementation-defined</a> manner.
This step probably be abstracted with the same logic in "obtain a connection".
> + that returns <b>blocked</b>, return.
+
+ <li><p>Let <var>proxies</var> be the result of finding proxies for <var>url</var> in an
+ <a>implementation-defined</a> manner.
+
+ <li>
+ <p>If <var>proxies</var> is <a for=list>empty</a>, or if <var>proxies</var>
+ <a for=list>contains</a> "<code>DIRECT</code>", then <a>resolve an origin</a> given <var>key</var>
+ and <var>url</var>'s <a for=url>origin</a>.
+
+ <p class=note>As the results of this algorithm can be cached, future fetches could be faster.
+</ol>
+</div>
+
+<div algorithm="check-preemptive-operation-csp">
+<p>To <dfn>Check CSP for preemptive operation</dfn>, given an
Perhaps this can have a more descriptive name such as "does CSP allow a connection" and we normalize the return value from CSP to true/false while we're here.
--
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1620#pullrequestreview-1397379691
You are receiving this because you are subscribed to this thread.
Message ID: <whatwg/fetch/pull/1620/review/1397379691@github.com>
Received on Monday, 24 April 2023 08:03:01 UTC