Re: [whatwg/fetch] Allow HTTP scheme fetches to make CORS preflight (PR #1785) from Alexander Petros on 2024-11-13 (public-webapps-github@w3.org from November 2024)

From: Alexander Petros <notifications@github.com>
Date: Tue, 12 Nov 2024 21:31:48 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1785/c2472431100@github.com>

@domfarolino First of all, thank you so much for the thoughtful review!

> So the idea with this PR is that <var>makeCORSPreflight</var> variable is really closer to "makeCORSPreflight if needed", and can be set to true because it won't trigger preflights except for when requests otherwise demand them by using an unsafe method or request header?

Yes, this is my understanding of [HTTP Fetch Step 4.1](https://fetch.spec.whatwg.org/#ref-for-concept-cache-match-method), which only issues the preflight if the request has attributes (method or headers) that are not CORS-safelisted (or if the [use-CORS-Preflight](https://fetch.spec.whatwg.org/#use-cors-preflight-flag) flag is set); otherwise, it proceeds as normal (the path navigation takes today). I'm happy to rename it, but my instinct is to touch as little as possible.

> Another way to achieve this is to set the [use-CORS-preflight](https://fetch.spec.whatwg.org/#use-cors-preflight-flag) flag on the relevant kinds of navigation requests that we want to subject to preflights. Unfortunately, that wouldn't integrate cleanly with "Main fetch" today, given how mode=navigate fetches are [handled before](https://fetch.spec.whatwg.org/#ref-for-concept-request-mode%E2%91%A0%E2%91%A0) we consider [the use-CORS-preflight flag, just a few conditions down](https://fetch.spec.whatwg.org/#ref-for-use-cors-preflight-flag%E2%91%A1).

I agree that this is not ideal. It would also create some confusion around when exactly CORS is supposed to be checked in the request lifecycle. Since it already happens in one path that the navigation fetch will definitely reach (HTTP fetch), I'd like to re-use that logic if possible.

> So maybe the best option is to modify scheme fetch to only turn a false "makeCORSPreflight" to true if the request mode is navigate (instead of unconditionally as you're doing now)?

This seems great, and more narrow. There's also precedent for [inspecting the request mode](https://fetch.spec.whatwg.org/#ref-for-concept-request-mode%E2%91%A0%E2%91%A4) after that [main switch](https://fetch.spec.whatwg.org/#ref-for-concept-request-mode%E2%91%A0%E2%91%A0). I will go ahead and make that change!

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1785#issuecomment-2472431100
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1785/c2472431100@github.com>

Received on Wednesday, 13 November 2024 05:31:52 UTC