Re: [whatwg/fetch] Define preconnect and dns-prefetch with CSP (PR #1620) from Anne van Kesteren on 2023-05-08 (public-webapps-github@w3.org from May 2023)

From: Anne van Kesteren <notifications@github.com>
Date: Mon, 08 May 2023 03:53:16 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1620/review/1416563472@github.com>
@annevk commented on this pull request.



> @@ -2846,16 +2846,7 @@ steps:
    <a>connection</a>.
   </ol>
 
- <li>
-  <p>Let <var>proxies</var> be the result of finding proxies for <var>url</var> in an
-  <a>implementation-defined</a> manner. If there are no proxies, let <var>proxies</var> be
-  « "<code>DIRECT</code>" ».
-
-  <p class=note>This is where non-standard technology such as
-  <a href="https://en.wikipedia.org/wiki/Web_Proxy_Auto-Discovery_Protocol">Web Proxy Auto-Discovery Protocol (WPAD)</a>
-  and <a href="https://en.wikipedia.org/wiki/Proxy_auto-config">proxy auto-config (PAC)</a> come
-  into play. The "<code>DIRECT</code>" value means to not use a proxy for this particular
-  <var>url</var>.
+ <li><p>Let <var>proxies</var> of calling <a>resolve proxies</a> given <var>url</var>.

This is still missing words. "be the result" presumably.

> + <var>environment</var>.
+
+ <li>Run <p><a>Should connection be allowed by Content Security Policy?</a> with
+ <var>environment</var> and <var>url</var>. If that returns <b>blocked</b>, return.
+
+ <li><p>Let <var>proxies</var> be the result of calling <a>resolve proxies</a>.
+
+ <li>
+  <p>If <var>proxies</var> <a for=list>contains</a> "<code>DIRECT</code>", then
+  <a>resolve an origin</a> given <var>key</var> and <var>url</var>'s <a for=url>origin</a>.
+
+  <p class=note>As the results of this algorithm can be cached, future fetches could be faster.
+</ol>
+</div>
+
+<div algorithm="check-preemptive-operation-csp">

This attribute value isn't needed.

> +  <p class=note>This connection is obtained but not used directly. It will remain in the
+  <a>connection pool</a> for subsequent use.
+
+  <p class=note>The user agent can attempt to initiate a preconnect and perform the full
+  connection handshake (DNS+TCP for HTTP, and DNS+TCP+TLS for HTTPS origins) whenever possible, but
+  is allowed to elect to perform a partial handshake (DNS only for HTTP, and DNS or DNS+TCP for
+  HTTPS origins), or skip it entirely, due to resource constraints or other reasons.</p>
+
+  <p class=note>The optimal number of connections per origin is dependent on the negotiated
+  protocol, users current connectivity profile, available device resources, global connection
+  limits, and other context specific variables. As a result, the decision for how many connections
+  should be opened is deferred to the user agent.</p>
+</ol>
+</div>
+
+<div>

This needs an `algorithm` attribute.

> +
+ <li>Run <p><a>Should connection be allowed by Content Security Policy?</a> with
+ <var>environment</var> and <var>url</var>. If that returns <b>blocked</b>, return.
+
+ <li><p>Let <var>proxies</var> be the result of calling <a>resolve proxies</a>.
+
+ <li>
+  <p>If <var>proxies</var> <a for=list>contains</a> "<code>DIRECT</code>", then
+  <a>resolve an origin</a> given <var>key</var> and <var>url</var>'s <a for=url>origin</a>.
+
+  <p class=note>As the results of this algorithm can be cached, future fetches could be faster.
+</ol>
+</div>
+
+<div algorithm="check-preemptive-operation-csp">
+<p>To <dfn>Should connection be allowed by Content Security Policy?</dfn>, given an

This algorithm needs a better name. E.g., "determine if Content Security allows connection". The name shouldn't have a question mark and should read naturally after "To" if you're using to to lead it in.

> + <var>environment</var> and <var>url</var>. If that returns <b>blocked</b>, return.
+
+ <li><p>Let <var>proxies</var> be the result of calling <a>resolve proxies</a>.
+
+ <li>
+  <p>If <var>proxies</var> <a for=list>contains</a> "<code>DIRECT</code>", then
+  <a>resolve an origin</a> given <var>key</var> and <var>url</var>'s <a for=url>origin</a>.
+
+  <p class=note>As the results of this algorithm can be cached, future fetches could be faster.
+</ol>
+</div>
+
+<div algorithm="check-preemptive-operation-csp">
+<p>To <dfn>Should connection be allowed by Content Security Policy?</dfn>, given an
+<a>environment settings object</a> <var>environment</var>, and a <a for=/>URL</a> <var>url</var>,
+run these steps:

No need for "run these steps" when you lead it in with "To".

> + <li><p>Return the result of running <a>should request be blocked by Content Security Policy?</a>
+ given <var>request</var>.

We should put the result in a variable first and then convert that to a boolean.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1620#pullrequestreview-1416563472
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1620/review/1416563472@github.com>
Received on Monday, 8 May 2023 10:53:23 UTC