[whatwg/fetch] Introduce "override fetch". (PR #1840)

This change aims to explain how and when user agents intervene against requests in order to protect users. It introduces a few stage in Fetching, which gives user agents a clear hook after a set of prerequisite checks (MIX, CSP, etc.) are performed in Main Fetch.

This was originally proposed (and is explained in a bit more detail) in https://explainers-by-googlers.github.io/script-blocking/, and the hook's details and exact positioning were informed by the discussion in https://github.com/explainers-by-googlers/script-blocking/issues/2.

<!--
Thank you for contributing to the Fetch Standard! Please describe the change you are making and complete the checklist below if your change is not editorial.

When you submit this PR, and each time you edit this comment (including checking a checkbox through the UI!), PR Preview will run and update it. As such make any edits in one go and only after PR Preview has run.

If you think your PR is ready to land, please double-check that the build is passing and the checklist is complete before pinging.
-->

- [ ] At least two implementers are interested (and none opposed):
   * Multiple browsers ship this kind of behavior (whether in the form of Safe Browsing, tracking protection, etc). The brief discussion in https://github.com/explainers-by-googlers/script-blocking/issues/2 suggests that there's interest in standardizing the broad strokes of the behavior by providing this implementation-defined hook.

- [ ] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at:
   * The exact set of resources against which user agents intervene is not (and likely cannot be) standardized. https://explainers-by-googlers.github.io/script-blocking/#testing suggests one approach to testing which might allow vendors to verify that their interventions are consistently positioned within Fetch, but that infrastructure hasn't yet been built or agreed-upon. If there's interest in doing so, I'll happily file an issue against [web-platform-tests/rfcs](https://github.com/web-platform-tests/rfcs) to discuss.
- [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed:
   * As above, all browsers currently ship something like this. In my (limited) testing, they all seem to agree on the broad strokes of when the check happens.
- [ ] [MDN issue](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) is filed:
   * This seems unnecessary for this change, but I'm happy to put together documentation if it's deemed helpful.
- [X] The top of this comment includes a [clear commit message](https://github.com/whatwg/meta/blob/main/COMMITTING.md) to use. <!-- If you created this PR from a single commit, Github copied its message. Otherwise, you need to add a commit message yourself. -->

(See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)


<!--
    This comment and the below content is programmatically generated.
    You may add a comma-separated list of anchors you'd like a
    direct link to below (e.g. #idl-serializers, #idl-sequence):

    Don't remove this comment or modify anything below this line.
    If you don't want a preview generated for this pull request,
    just replace the whole of this comment's content by "no preview"
    and remove what's below.
-->
***
<a href="https://whatpr.org/fetch/1840.html" title="Last updated on Jul 9, 2025, 7:22 AM UTC (f798b2c)">Preview</a> | <a href="https://whatpr.org/fetch/1840/5261b51...f798b2c.html" title="Last updated on Jul 9, 2025, 7:22 AM UTC (f798b2c)">Diff</a>
You can view, comment on, or merge this pull request online at:

  https://github.com/whatwg/fetch/pull/1840

-- Commit Summary --

  * Introduce "override fetch".

-- File Changes --

    M fetch.bs (103)

-- Patch Links --

https://github.com/whatwg/fetch/pull/1840.patch
https://github.com/whatwg/fetch/pull/1840.diff

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1840
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1840@github.com>