Re: [whatwg/fetch] Add support for compression dictionary transport (PR #1854) from Patrick Meenan on 2026-02-11 (public-webapps-github@w3.org from February 2026)

From: Patrick Meenan <notifications@github.com>
Date: Wed, 11 Feb 2026 09:56:43 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1854/review/3786018316@github.com>
@pmeenan commented on this pull request.



> @@ -1798,6 +1801,7 @@ is "<code>all</code>" or "<code>none</code>". Unless stated otherwise it is "<co
 <p>A <a for=/>request</a> has an associated
 <dfn export for=request id=concept-request-initiator>initiator</dfn>, which is
 the empty string,
+"<code>compression-dictionary</code>",

Fixed, thanks.

> @@ -6385,12 +6412,131 @@ run these steps:
  <li><p>If <var>isAuthenticationFetch</var> is true, then create an <a>authentication entry</a> for
  <var>request</var> and the given realm.
 
+ <li>
+  <p>If <var>response</var>'s <a for=response>header list</a>
+  <a for="header list">contains</a> `<code>Use-As-Dictionary</code>`, then:
+  <!-- This is defined in [[!HTTP-COMPRESSION-DICTIONARIES]] -->
+
+  <ol>
+   <li><p>Let <var>dictionaryValue</var> be the result of
+   <a for="header list">getting a structured field value</a> given `<code>Use-As-Dictionary</code>`,
+   "<code>dictionary</code>", and <var>response</var>'s <a for=response>header list</a>.
+
+   <li><p>If <var>dictionaryValue</var> is null or <var>dictionaryValue</var>["<code>match</code>"]
+   does not <a for=map>exist</a>, then return <var>response</var>.
+
+   <li><p>Let <var>pattern</var> be the result of creating a URL pattern from

Added (let me know if the reference to the urlpattern spec should be handled differently - I tried to mimick what was used for resource timing.

> +  <a for="header list">contains</a> `<code>Use-As-Dictionary</code>`, then:
+  <!-- This is defined in [[!HTTP-COMPRESSION-DICTIONARIES]] -->
+
+  <ol>
+   <li><p>Let <var>dictionaryValue</var> be the result of
+   <a for="header list">getting a structured field value</a> given `<code>Use-As-Dictionary</code>`,
+   "<code>dictionary</code>", and <var>response</var>'s <a for=response>header list</a>.
+
+   <li><p>If <var>dictionaryValue</var> is null or <var>dictionaryValue</var>["<code>match</code>"]
+   does not <a for=map>exist</a>, then return <var>response</var>.
+
+   <li><p>Let <var>pattern</var> be the result of creating a URL pattern from
+   <var>dictionaryValue</var>["<code>match</code>"] and <var>request</var>'s
+   <a for=request>current URL</a>.
+
+   <li><p>If <var>pattern</var> is failure or <var>pattern</var> has regexp groups, then return

Fixed.

> +   <li><p>Let <var>compressionDictionaryCache</var> be the result of
+   <a>determining the compression-dictionary cache partition</a> given <var>request</var>.
+
+   <li><p>If <var>compressionDictionaryCache</var> is null, then return <var>response</var>.

Done

> +   <li><p>Let <var>corpPolicy</var> be the result of <a for="header list">getting</a>
+   `<a http-header><code>Cross-Origin-Resource-Policy</code></a>` from <var>response</var>'s
+   <a for=response>header list</a>.
+
+   <li><p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>opaque</code>" and
+   <var>corpPolicy</var> is not `<code>cross-origin</code>`, then return <var>response</var>.

I don't know if something more generic would make sense but my current plan is:
* Add a `compression dictionary blocked` flag to request that starts out as unset
* In main fetch, each time the response is processed and after `response tainting` has been updated and is currently `opaque`, check the corp header.
* If the header is missing or not set to `cross-origin` then set the `compression dictionary blocked` flag
* Replace the check here with a check of the `compression dictionary blocked` flag

I don't know if the same CORP readability logic could or should be used for anything else and a more generic tainting name should be used.

> +   <li><p>If <var>pattern</var> is failure or <var>pattern</var> has regexp groups, then return
+   <var>response</var>.
+
+   <li><p>Let <var>compressionDictionaryCache</var> be the result of
+   <a>determining the compression-dictionary cache partition</a> given <var>request</var>.
+
+   <li><p>If <var>compressionDictionaryCache</var> is null, then return <var>response</var>.
+
+   <li><p>Let <var>corpPolicy</var> be the result of <a for="header list">getting</a>
+   `<a http-header><code>Cross-Origin-Resource-Policy</code></a>` from <var>response</var>'s
+   <a for=response>header list</a>.
+
+   <li><p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>opaque</code>" and
+   <var>corpPolicy</var> is not `<code>cross-origin</code>`, then return <var>response</var>.
+
+   <li><p>Let <var>expirationTime</var> be the time at which the <var>response</var> becomes stale.

Added a link to the `stale response` definition.

> + <li><p><a for="header list">Combine</a> (`<code>Accept-Encoding</code>`, `<code>dcb</code>`)
+ in <var>request</var>'s <a for=request>header list</a>.
+
+ <li><p><a for="header list">Combine</a> (`<code>Accept-Encoding</code>`, `<code>dcz</code>`)
+ in <var>request</var>'s <a for=request>header list</a>.

`Accept-Encoding` is a [forbidden request header](https://fetch.spec.whatwg.org/#forbidden-request-header) so developers shouldn't be able to set it.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1854#discussion_r2794484754
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1854/review/3786018316@github.com>
Received on Wednesday, 11 February 2026 17:56:47 UTC