Re: [whatwg/fetch] HTTPS upgrades proposal (PR #1655) from Anne van Kesteren on 2023-11-15 (public-webapps-github@w3.org from November 2023)

From: Anne van Kesteren <notifications@github.com>
Date: Wed, 15 Nov 2023 07:41:35 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1655/review/1732310982@github.com>

@annevk commented on this pull request.

@mozfreddyb you mentioned redirects a few times. Could you stipulate the concern more clearly? Mostly that if you have HTTPS A redirecting to HTTP B we'd attempt an upgrade of B?

> @@ -6011,7 +6132,8 @@ optional boolean <var>forceNewConnection</var> (default false), run these steps:
 
    <li><p>If <var>connection</var> is an HTTP/1.x connection, <var>request</var>'s
    <a for=request>body</a> is non-null, and <var>request</var>'s <a for=request>body</a>'s
-   <a for=body>source</a> is null, then return a <a>network error</a>.
+   <a for=body>source</a> is null, then return the result of running <a>HTTPS upgrade fallback</a>
+   given <var>request</var> and <var>network error</var>.

This is a streaming case. I don't think we should touch this. This also won't be true for the scenario we care about: navigation.

> @@ -6030,7 +6152,8 @@ optional boolean <var>forceNewConnection</var> (default false), run these steps:
       buffer of up to 64 kibibytes and store a part of <var>request</var>'s <a for=request>body</a>
       in that buffer. If the user agent reads from <var>request</var>'s <a for=request>body</a>
       beyond that buffer's size and the user agent needs to resend <var>request</var>, then instead
-      return a <a>network error</a>.
+      return the result of running <a>HTTPS upgrade fallback</a> given <var>request</var> and
+      <var>network error</var>.

This again is a streaming case. It won't be true for navigation.

> +<div algorithm>
+<p>To <dfn>upgrade an HTTP request</dfn> given a <a for=/>request</a> <var>request</var>:
+
+<ol>
+ <li>
+  <p>If one or more of the following conditions are met, return:
+  <ul>
+   <li><p><var>request</var>'s <a for="request">destination</a> is not "<code>document</code>"
+
+   <li><p><var>request</var>'s <a for="request">method</a> is not "<code>GET</code>"
+
+   <li><p><var>request</var>'s <a for="request">URL</a>'s <a for="url">scheme</a> is not
+   "<code>http</code>"
+
+   <li><p><var>request</var>'s <a for="request">URL</a>'s <a for="url">host</a> is exempted from
+   upgrades in an <a>implementation-defined</a> way.

Maybe we can give some examples here. Also, is this purely based on host or is port part of the consideration? Maybe we should talk about origin instead?

> @@ -5157,8 +5279,6 @@ these steps:
       <p>If one of the following is true
 
       <ul class=brief>
-       <li><p><var>response</var>'s <a for=response>type</a> is "<code>error</code>"

It looks like you haven't undone the change here.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1655#pullrequestreview-1732310982
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1655/review/1732310982@github.com>

Received on Wednesday, 15 November 2023 15:41:42 UTC