Re: [whatwg/fetch] CORS readability for no-cors requests (Issue #1839) from Patrick Meenan on 2025-11-11 (public-webapps-github@w3.org from November 2025)

From: Patrick Meenan <notifications@github.com>
Date: Mon, 10 Nov 2025 18:18:13 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1839/3514696583@github.com>

pmeenan left a comment (whatwg/fetch#1839)

First round of discussions from the webperf working group at TPAC 2025 raised concerns about unexpected changes to embedders if 3rd-party resources suddenly became CORS-readable. Specifically around error stacks unexpectedly containing 3rd-party details when the first-party might not be expecting it.

Another option that would solve only the dictionary use case and maintain existing behavior would be to mark responses as effectively "readable" but still treat them as opaque from the caller's perspective.

Something like `Compression-Dictionary: readable`.

The main risk there is we would be relying on docs to explain to people that that makes the contents effectively readable from the document through side-channel attacks rather than it being obviously-readable but it avoids the risk of randomly changing behavior that is web-visible.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1839#issuecomment-3514696583
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1839/3514696583@github.com>

Received on Tuesday, 11 November 2025 02:18:17 UTC