Re: [whatwg/fetch] Allow HTTP scheme fetches to make CORS preflight (PR #1785) from Dominic Farolino on 2024-11-12 (public-webapps-github@w3.org from November 2024)

From: Dominic Farolino <notifications@github.com>
Date: Tue, 12 Nov 2024 10:32:33 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1785/review/2430399730@github.com>

@domfarolino commented on this pull request.

So the idea with this PR is that `<var>makeCORSPreflight</var>` variable is really closer to "makeCORSPreflight if needed", and can be set to true because it won't trigger unless the request would otherwise call for preflights by using an unsafe method or request header.

But I think this PR will have side effects on other requests that would suddenly start triggering preflights, when they shouldn't. For example:

```
fetch("https://google.com", {method: 'GET', mode: 'no-cors', headers: {'Content-Type': 'application/json'}})
```

... uses an unsafe request header, which would ordinarily trigger a preflight, but for the `no-cors` mode which never sends preflights[^1]. I think this PR would change that, and preflights would be sent for these kinds of `no-cors` requests, at the very least.

Another way to achieve this is to set the [use-CORS-preflight](https://fetch.spec.whatwg.org/#use-cors-preflight-flag) flag on the relevant kinds of navigation requests that we want to subject to preflights. Unfortunately, that wouldn't integrate cleanly with "Main fetch" today, given how `mode=navigate` fetches are [handled before](https://fetch.spec.whatwg.org/#ref-for-concept-request-mode%E2%91%A0%E2%91%A0) we consider [the use-CORS-preflight flag, just a few conditions down](https://fetch.spec.whatwg.org/#ref-for-use-cors-preflight-flag%E2%91%A1).

So maybe the best option is to modify scheme fetch to only turn a false "makeCORSPreflight" to true if the request mode is navigate (instead of unconditionally as you're doing now)?

[^1]: This is because scheme fetch is [invoked from the no-cors path](https://fetch.spec.whatwg.org/#ref-for-concept-request-mode%E2%91%A0%E2%91%A2), which today calls HTTP fetch without the `makeCORSPreflight` variable set to true, so we would never even test the method or request headers.



-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1785#pullrequestreview-2430399730
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1785/review/2430399730@github.com>

Received on Tuesday, 12 November 2024 18:32:37 UTC